Analysis
-
max time kernel
307s -
max time network
310s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-10-2021 08:28
Static task
static1
Behavioral task
behavioral1
Sample
Chaos Ransomware Builder v4.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Chaos Ransomware Builder v4.exe
Resource
win10v20210408
General
-
Target
Chaos Ransomware Builder v4.exe
-
Size
550KB
-
MD5
8b855e56e41a6e10d28522a20c1e0341
-
SHA1
17ea75272cfe3749c6727388fd444d2c970f9d01
-
SHA256
f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
-
SHA512
eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
Malware Config
Extracted
C:\Users\Admin\Desktop\read_it.txt
bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4100 created 1336 4100 WerFault.exe PaintStudio.View.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1820 bcdedit.exe 2824 bcdedit.exe -
Processes:
wbadmin.exepid process 3652 wbadmin.exe -
Executes dropped EXE 3 IoCs
Processes:
EnableOpen.exesvchost.exeDecrypter.exepid process 820 EnableOpen.exe 3716 svchost.exe 2156 Decrypter.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exeDecrypter.exedescription ioc process File renamed C:\Users\Admin\Pictures\EnableMeasure.raw => C:\Users\Admin\Pictures\EnableMeasure.raw.mqu8 svchost.exe File renamed C:\Users\Admin\Pictures\FormatDeny.png => C:\Users\Admin\Pictures\FormatDeny.png.0nau svchost.exe File renamed C:\Users\Admin\Pictures\WatchStep.tif => C:\Users\Admin\Pictures\WatchStep.tif.8ken svchost.exe File opened for modification C:\Users\Admin\Pictures\EnableMeasure.raw.mqu8 Decrypter.exe File opened for modification C:\Users\Admin\Pictures\FormatDeny.png.0nau Decrypter.exe File opened for modification C:\Users\Admin\Pictures\GetWatch.tiff Decrypter.exe File opened for modification C:\Users\Admin\Pictures\PublishDisconnect.tiff Decrypter.exe File opened for modification C:\Users\Admin\Pictures\WatchStep.tif.8ken Decrypter.exe -
Drops startup file 6 IoCs
Processes:
svchost.exeDecrypter.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.jc7v Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url Decrypter.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 35 IoCs
Processes:
svchost.exeDecrypter.exedescription ioc process File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Decrypter.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7qhhqvq17.jpg" Decrypter.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4100 1336 WerFault.exe PaintStudio.View.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3672 vssadmin.exe -
Modifies registry class 64 IoCs
Processes:
Chaos Ransomware Builder v4.exePaintStudio.View.exeexplorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings svchost.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies PaintStudio.View.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content PaintStudio.View.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" PaintStudio.View.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000f4ecfc87702cd701011c968a702cd701b2928c8a702cd70114000000 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builder v4.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 508 NOTEPAD.EXE 1712 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
svchost.exePaintStudio.View.exepid process 3716 svchost.exe 1336 PaintStudio.View.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Chaos Ransomware Builder v4.exeEnableOpen.exesvchost.exeDecrypter.exemspaint.exePaintStudio.View.exepid process 740 Chaos Ransomware Builder v4.exe 740 Chaos Ransomware Builder v4.exe 740 Chaos Ransomware Builder v4.exe 740 Chaos Ransomware Builder v4.exe 740 Chaos Ransomware Builder v4.exe 740 Chaos Ransomware Builder v4.exe 740 Chaos Ransomware Builder v4.exe 740 Chaos Ransomware Builder v4.exe 740 Chaos Ransomware Builder v4.exe 740 Chaos Ransomware Builder v4.exe 740 Chaos Ransomware Builder v4.exe 740 Chaos Ransomware Builder v4.exe 740 Chaos Ransomware Builder v4.exe 820 EnableOpen.exe 820 EnableOpen.exe 820 EnableOpen.exe 820 EnableOpen.exe 820 EnableOpen.exe 820 EnableOpen.exe 820 EnableOpen.exe 820 EnableOpen.exe 820 EnableOpen.exe 820 EnableOpen.exe 820 EnableOpen.exe 820 EnableOpen.exe 820 EnableOpen.exe 820 EnableOpen.exe 820 EnableOpen.exe 3716 svchost.exe 3716 svchost.exe 3716 svchost.exe 3716 svchost.exe 3716 svchost.exe 3716 svchost.exe 3716 svchost.exe 3716 svchost.exe 3716 svchost.exe 3716 svchost.exe 3716 svchost.exe 3716 svchost.exe 3716 svchost.exe 3716 svchost.exe 2156 Decrypter.exe 2156 Decrypter.exe 2156 Decrypter.exe 2156 Decrypter.exe 2156 Decrypter.exe 2156 Decrypter.exe 2156 Decrypter.exe 2156 Decrypter.exe 2156 Decrypter.exe 2156 Decrypter.exe 2156 Decrypter.exe 2156 Decrypter.exe 2156 Decrypter.exe 1220 mspaint.exe 1220 mspaint.exe 1336 PaintStudio.View.exe 1336 PaintStudio.View.exe 1336 PaintStudio.View.exe 1336 PaintStudio.View.exe 1336 PaintStudio.View.exe 1336 PaintStudio.View.exe 1336 PaintStudio.View.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Chaos Ransomware Builder v4.exepid process 740 Chaos Ransomware Builder v4.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
Processes:
Chaos Ransomware Builder v4.exeEnableOpen.exesvchost.exevssvc.exeWMIC.exewbengine.exeDecrypter.exePaintStudio.View.exeWerFault.exedescription pid process Token: SeDebugPrivilege 740 Chaos Ransomware Builder v4.exe Token: SeDebugPrivilege 820 EnableOpen.exe Token: SeDebugPrivilege 3716 svchost.exe Token: SeBackupPrivilege 2976 vssvc.exe Token: SeRestorePrivilege 2976 vssvc.exe Token: SeAuditPrivilege 2976 vssvc.exe Token: SeIncreaseQuotaPrivilege 1316 WMIC.exe Token: SeSecurityPrivilege 1316 WMIC.exe Token: SeTakeOwnershipPrivilege 1316 WMIC.exe Token: SeLoadDriverPrivilege 1316 WMIC.exe Token: SeSystemProfilePrivilege 1316 WMIC.exe Token: SeSystemtimePrivilege 1316 WMIC.exe Token: SeProfSingleProcessPrivilege 1316 WMIC.exe Token: SeIncBasePriorityPrivilege 1316 WMIC.exe Token: SeCreatePagefilePrivilege 1316 WMIC.exe Token: SeBackupPrivilege 1316 WMIC.exe Token: SeRestorePrivilege 1316 WMIC.exe Token: SeShutdownPrivilege 1316 WMIC.exe Token: SeDebugPrivilege 1316 WMIC.exe Token: SeSystemEnvironmentPrivilege 1316 WMIC.exe Token: SeRemoteShutdownPrivilege 1316 WMIC.exe Token: SeUndockPrivilege 1316 WMIC.exe Token: SeManageVolumePrivilege 1316 WMIC.exe Token: 33 1316 WMIC.exe Token: 34 1316 WMIC.exe Token: 35 1316 WMIC.exe Token: 36 1316 WMIC.exe Token: SeIncreaseQuotaPrivilege 1316 WMIC.exe Token: SeSecurityPrivilege 1316 WMIC.exe Token: SeTakeOwnershipPrivilege 1316 WMIC.exe Token: SeLoadDriverPrivilege 1316 WMIC.exe Token: SeSystemProfilePrivilege 1316 WMIC.exe Token: SeSystemtimePrivilege 1316 WMIC.exe Token: SeProfSingleProcessPrivilege 1316 WMIC.exe Token: SeIncBasePriorityPrivilege 1316 WMIC.exe Token: SeCreatePagefilePrivilege 1316 WMIC.exe Token: SeBackupPrivilege 1316 WMIC.exe Token: SeRestorePrivilege 1316 WMIC.exe Token: SeShutdownPrivilege 1316 WMIC.exe Token: SeDebugPrivilege 1316 WMIC.exe Token: SeSystemEnvironmentPrivilege 1316 WMIC.exe Token: SeRemoteShutdownPrivilege 1316 WMIC.exe Token: SeUndockPrivilege 1316 WMIC.exe Token: SeManageVolumePrivilege 1316 WMIC.exe Token: 33 1316 WMIC.exe Token: 34 1316 WMIC.exe Token: 35 1316 WMIC.exe Token: 36 1316 WMIC.exe Token: SeBackupPrivilege 3268 wbengine.exe Token: SeRestorePrivilege 3268 wbengine.exe Token: SeSecurityPrivilege 3268 wbengine.exe Token: SeDebugPrivilege 2156 Decrypter.exe Token: SeDebugPrivilege 1336 PaintStudio.View.exe Token: SeDebugPrivilege 1336 PaintStudio.View.exe Token: SeDebugPrivilege 1336 PaintStudio.View.exe Token: SeDebugPrivilege 4100 WerFault.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
werfault.exepid process 2300 werfault.exe 2300 werfault.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
Chaos Ransomware Builder v4.exemspaint.exePaintStudio.View.exemspaint.exepid process 740 Chaos Ransomware Builder v4.exe 740 Chaos Ransomware Builder v4.exe 1220 mspaint.exe 1336 PaintStudio.View.exe 4716 mspaint.exe 4716 mspaint.exe 4716 mspaint.exe 4716 mspaint.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Chaos Ransomware Builder v4.execsc.exeEnableOpen.exesvchost.execmd.execmd.execmd.exedescription pid process target process PID 740 wrote to memory of 3268 740 Chaos Ransomware Builder v4.exe csc.exe PID 740 wrote to memory of 3268 740 Chaos Ransomware Builder v4.exe csc.exe PID 3268 wrote to memory of 1708 3268 csc.exe cvtres.exe PID 3268 wrote to memory of 1708 3268 csc.exe cvtres.exe PID 820 wrote to memory of 3716 820 EnableOpen.exe svchost.exe PID 820 wrote to memory of 3716 820 EnableOpen.exe svchost.exe PID 3716 wrote to memory of 3460 3716 svchost.exe cmd.exe PID 3716 wrote to memory of 3460 3716 svchost.exe cmd.exe PID 3460 wrote to memory of 3672 3460 cmd.exe vssadmin.exe PID 3460 wrote to memory of 3672 3460 cmd.exe vssadmin.exe PID 3460 wrote to memory of 1316 3460 cmd.exe WMIC.exe PID 3460 wrote to memory of 1316 3460 cmd.exe WMIC.exe PID 3716 wrote to memory of 1124 3716 svchost.exe cmd.exe PID 3716 wrote to memory of 1124 3716 svchost.exe cmd.exe PID 1124 wrote to memory of 1820 1124 cmd.exe bcdedit.exe PID 1124 wrote to memory of 1820 1124 cmd.exe bcdedit.exe PID 1124 wrote to memory of 2824 1124 cmd.exe bcdedit.exe PID 1124 wrote to memory of 2824 1124 cmd.exe bcdedit.exe PID 3716 wrote to memory of 2184 3716 svchost.exe cmd.exe PID 3716 wrote to memory of 2184 3716 svchost.exe cmd.exe PID 2184 wrote to memory of 3652 2184 cmd.exe wbadmin.exe PID 2184 wrote to memory of 3652 2184 cmd.exe wbadmin.exe PID 3716 wrote to memory of 508 3716 svchost.exe NOTEPAD.EXE PID 3716 wrote to memory of 508 3716 svchost.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v4.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qx1ftn2b\qx1ftn2b.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7309.tmp" "c:\Users\Admin\Desktop\CSC182DD043AD604E74BBA19C8E59C89B41.TMP"3⤵
-
C:\Users\Admin\Desktop\EnableOpen.exe"C:\Users\Admin\Desktop\EnableOpen.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\EnableOpen-decrypter\Decrypter.exe"C:\Users\Admin\AppData\Local\Temp\EnableOpen-decrypter\Decrypter.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SyncPing.css1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\ce69b18b430941e98e29b207b5d28b21 /t 2940 /p 17121⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\FormatDeny.png" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1336 -s 37402⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\RequestRestore.jpg"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EnableOpen-decrypter\Decrypter.exeMD5
97f3854d27d9f5d8f9b15818237894d5
SHA1e608608d59708ef58102a3938d9117fa864942d9
SHA256fac94a8e02f92d63cfdf1299db27e40410da46c9e86d8bb2cd4b1a0d68d5f7a2
SHA51225d840a7a6f0e88092e0f852690ed9377cf3f38e0f2c95e74f8b2ffea574d83c6154cccdbf94f1756e2bbdcdb33b5106aab946644dedc4ffaefb6bf57a866696
-
C:\Users\Admin\AppData\Local\Temp\EnableOpen-decrypter\Decrypter.exeMD5
97f3854d27d9f5d8f9b15818237894d5
SHA1e608608d59708ef58102a3938d9117fa864942d9
SHA256fac94a8e02f92d63cfdf1299db27e40410da46c9e86d8bb2cd4b1a0d68d5f7a2
SHA51225d840a7a6f0e88092e0f852690ed9377cf3f38e0f2c95e74f8b2ffea574d83c6154cccdbf94f1756e2bbdcdb33b5106aab946644dedc4ffaefb6bf57a866696
-
C:\Users\Admin\AppData\Local\Temp\EnableOpen-decrypter\privateKey.chaosMD5
9bf57a8128e673a5000c38a5ae07b5a9
SHA1beaa1b02fc854abc8a22a8bcb0c3639c94e64d82
SHA2561da24d314e389c12aa5c840708052da138ea15b7e9d8d86dfbd49e7feedc00c1
SHA5127ef215ad43acf4c3d7c82f318b3504ea3f75be2489dd50ab6586506c9cfdbcdc16db37d5634c9adeb6aeac4134dbcd70b2150c0d42f7559ba2e3c578e11addcd
-
C:\Users\Admin\AppData\Local\Temp\RES7309.tmpMD5
5c8481c7535a5b04fdb09f39a1b5cdf2
SHA1ccff2fc586fea3154be793ce5cdbe2f8c18ad58c
SHA256cfa3d60e633c23aa53438f74d8c7916ae56a559a724d54c2d44adf9b2cc78be4
SHA512342f0112bbebc74f32b26bbdc604033e9a5376b8f1771cebdfac6b7110eeb920e1b471bf84a35df1399fba18ed306018cc3e4434d6046f7db4781548f78db04b
-
C:\Users\Admin\AppData\Roaming\read_it.txtMD5
4217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
ecbea448dca15b71304c380193acf405
SHA1f895efb42e7e858300638be742694b7a96be2207
SHA25691b3affb278a269314d469198faaf96edc526e0b35979ece5ed17a44a4a045d8
SHA512df18cb14925933e9d8c9750532eb00cddc0cd8710ca05070ed06643334c70396986921c33dd3251c4fcc1a76d4d65dc56bc3b65656ea56822a11ef9e59258ba2
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
ecbea448dca15b71304c380193acf405
SHA1f895efb42e7e858300638be742694b7a96be2207
SHA25691b3affb278a269314d469198faaf96edc526e0b35979ece5ed17a44a4a045d8
SHA512df18cb14925933e9d8c9750532eb00cddc0cd8710ca05070ed06643334c70396986921c33dd3251c4fcc1a76d4d65dc56bc3b65656ea56822a11ef9e59258ba2
-
C:\Users\Admin\Contacts\desktop.ini.qodrMD5
449f2e76e519890a212814d96ce67d64
SHA1a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd
SHA25648a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7
SHA512c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738
-
C:\Users\Admin\Contacts\read_it.txtMD5
4217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740
-
C:\Users\Admin\Desktop\ConfirmExpand.ppt.iwboMD5
9d87f14ffb96dc56b4cdaefe479d4621
SHA198cde44a91008be0802f3e377c0d61d844fc19b3
SHA256177f49e98e4c698993c4ca9bfeca5d9e2f45a51e5a6a39d26501c27920d9999b
SHA51200474ddbeee8761be7ff8bfa85559ce7db7f4502c232b382e5e9cc7dd705df6cce56aae30e69eb67dedfa41db763ecd0bb88b34fb7aa3c5d7cf0c5f0aebd2cdc
-
C:\Users\Admin\Desktop\ConvertFromRevoke.doc.5ht6MD5
6a00253c6a8cf085b8958893575e4940
SHA1a996b3c29013795af24f7a87cc446e386ec6c35e
SHA256a30338a89c68928c0f39f85c7415bc5cf7de15f934e29794d8284a0edcd41560
SHA512bac46b81edd87022ba79cce5cdc4dbac0bed6b21c0d16489d4486520e2f265eff425a4d04307955f92bae4d1ea2874b1566b5df990411ae7de0becc4c08dffb9
-
C:\Users\Admin\Desktop\EnableOpen.exeMD5
ecbea448dca15b71304c380193acf405
SHA1f895efb42e7e858300638be742694b7a96be2207
SHA25691b3affb278a269314d469198faaf96edc526e0b35979ece5ed17a44a4a045d8
SHA512df18cb14925933e9d8c9750532eb00cddc0cd8710ca05070ed06643334c70396986921c33dd3251c4fcc1a76d4d65dc56bc3b65656ea56822a11ef9e59258ba2
-
C:\Users\Admin\Desktop\EnableOpen.exeMD5
ecbea448dca15b71304c380193acf405
SHA1f895efb42e7e858300638be742694b7a96be2207
SHA25691b3affb278a269314d469198faaf96edc526e0b35979ece5ed17a44a4a045d8
SHA512df18cb14925933e9d8c9750532eb00cddc0cd8710ca05070ed06643334c70396986921c33dd3251c4fcc1a76d4d65dc56bc3b65656ea56822a11ef9e59258ba2
-
C:\Users\Admin\Desktop\ExitPush.xps.sa0sMD5
9d18fcb4bb1b9fd6dd3f419787f5f920
SHA1ee0495d98d8277f82830e640a4863e5e48aad31b
SHA256184c526b6d8d03c0684fa3b31558c950203afcb59aeffcd53befcf8af001f849
SHA5122885b97afd7ca7cc87f7a97e9b4f617663865cedef683a57e61b009363535ba540235c5a149a40b65da16d41fe0ea299869b81f41daff986eaded16e0235f3d1
-
C:\Users\Admin\Desktop\JoinInvoke.sql.tukuMD5
c29edb51e6f2ea32f9109fd7d58c337b
SHA1272ed6b12c2e73ad4a033ecd374d67221726c089
SHA2565dc749f82d2ff955f3371551588faf73595d4237cd7fedc0874ec67dc6989656
SHA512fcbfe03237a99ff814fa0f9d31a5709a93bdc1aa9601e3e0391999f524aed0fe9067fabaf6cfe11af3a6d99eba3da13b086732ac449632363b0a395911d96805
-
C:\Users\Admin\Desktop\JoinReset.wav.h1fxMD5
d600405f3b1353336baba1ae6b329153
SHA14bf8ec0150bed8b99cef6d26dcd26aad779ab0a7
SHA2562b6bf3b0e7f174738d4c63297f88a36ef899f9179552429b9e5a702cddcb07a9
SHA5129cb95e691248f8c434ec1d6c917d67b65025eaf370ac05c9d31da5c7ca6d6a003827e93d32d04a1e80687ad5e737124d1eeb4fa9abfe326852e48d3f87429e94
-
C:\Users\Admin\Desktop\RestartAdd.xlsx.knjmMD5
d047644ebf4a51eb84ead712d5922498
SHA1e94084639101d2e4652907cf261cb405db172f93
SHA256f1c3a5b62331345bd08425bf798d09f50c6c15cfabef68bc5575dcab39f113bf
SHA5121729bb7ed63b6a4c15829bb079465897f7743d49641649be5abe5032503b3cb8aa8e1e8e310a353c160fbda6524996e779afd53ec6082782086ce9bcb2e054fa
-
C:\Users\Admin\Desktop\RevokeConvert.xps.9iowMD5
1ca0b6d16a67adffa45a3bd9e7313ce7
SHA157de73eb764d69b8f63b3199268798ada29463f1
SHA2562ac3f9c11a325923fb5e21ed1bdfabf3d9ff3f29da1aa1c1bc03fcbb076f181d
SHA5128f17b6e6e9ce0ce8ebb97ea07ef20684bbcbe8aefd0ec91c68bd35d98fac343692cf86231204f2967120cbe438abdbbb9c8f583d04d6b4b97a6268da1f3f4719
-
C:\Users\Admin\Desktop\SyncPing.css.nzl4MD5
8da5c798aeadd2cf18d8c5983b5b8bea
SHA11395665d4e02f5970fa12fccc4558f16f56b47f2
SHA2561c68471a4982256a63db4d6fd997330e9355fa8d57865c06cb068ba7af81e749
SHA5129cd4d2b8b23eadabebde46170dee427004c9c490d5eadcfb0d6192c95aa57f02a8bcca61264ccdd7b996d57ad0d75887c24370ccbc3c6c81efd67287328ca2fb
-
C:\Users\Admin\Desktop\UnregisterMount.css.vbtzMD5
101b9edd3fa776df2d6334cb2b8d63c8
SHA121e456ee886f1e86ac04a5531dc3d9ba2ccb374a
SHA25640d9d0b648d54b783c4549a5badac139426d0fcfa59b27d5a5622edafb31ff55
SHA5129a20aaa65483d81bb1dbe13f003b0cbda41a67107e5e8ad39aa76d3e86d1656e17a27e1ddc6e7d9bb70169ddd3a27af0909fb63388cfc89b0ce17f2b3116a4dc
-
C:\Users\Admin\Desktop\UseMove.lnk.r0x6MD5
01abe1332c6d1651a551c1c5d0d75c74
SHA14751bf5edfbb196f6fc13b9e4aa31f882a0fc168
SHA256d76477c0587c7687d7d550248cfeedb8230d124710a4931037273050665b03ec
SHA512a192991db4b2788071db0c3364c267e924abf1e8710b5b5c2e4fd3531844bb2704ef85890302dbe48d2e24b4a830ef4c51a901db2369e0ce883cb4b048c84b4d
-
C:\Users\Admin\Desktop\desktop.ini.82ydMD5
c1591374eadc2c8f72eeee4553441278
SHA18165a5db4101aadc3034eeab286786f783cdc10b
SHA25680379796a7ce1a082c210d61a6d1f204a30d2e9fac93cab0e0c16115f986c5dc
SHA512954f0650d17a9f9f4f3619d4fcf3f3bb6ca4309a15090c6f8c1ebdabbc347da8e5693ee0d21eca5abf62a778438befe5ac87b2b37d99663398fd0c8ece3ec710
-
C:\Users\Admin\Desktop\read_it.txtMD5
4217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740
-
C:\Users\Admin\Documents\Are.docx.7h60MD5
32337da3dc9c784eda42ac2ce7900649
SHA1885f087208265820e1bacc5668bad6859a43e1b7
SHA2566e80422212aeb770359071dade6da1a6d35be2a76a174dfb90ad84fc69230bf2
SHA512d22f0f467c8fed8d0fb536f0d6afab718e2687b79a3f2e48bcd982bd4a7719d38ced1fc7bd8668eafb1c2b0b095a837699e4996c0438833e775ba0e3839b0e84
-
C:\Users\Admin\Documents\AssertDisable.xlt.nbz3MD5
6b6e7c583c0da09372b9536be7f23ef4
SHA108273af688313e9957b5a11df13e28c922d854b3
SHA2567b8f5c45540331eb0ea56afd02a4ba6d4892852fcc3e31d5d840bbdc6bed5eba
SHA5126da84fe16cc58a51c942a5d6eea514fef11b04744ec27c515b350ba1c57aee8ef1953460b782ac309470adb7f251522bcc61513c82db75e2cdf851725f9c78b6
-
C:\Users\Admin\Documents\CloseUse.docm.z57rMD5
542f19a2e7875a7cb02b2a0909837c67
SHA14ba8cef7f268890b906982e6ea0866afbe1386a9
SHA2563e3120a0f125988d7635ad3f70d49599dc2136806e953df364f31134edbdc5bc
SHA512c50111e448f3d0e41c66bcec149c9c5fcd16a5d780381bbe5874e73b9273e5a2e21067ff8edb85e9339095e30c3add79cab3508f87254d4cc7fc349962568a94
-
C:\Users\Admin\Documents\ConnectRemove.docm.bvcrMD5
69a417edb12ee76c9e8f1666cf7138e0
SHA114436a1ddfb1e9a407965602354811e9d77338c7
SHA256b1c6a31c274b221a89867cc67fca4cf476dbce62667404256cca3c6993169cf2
SHA5128e7245d87fe89fb4512a4c6963d9abae9057958c58348f650ef19ca4b8221988ae1b4e404b92df7410a0f07678df1a28bf13d588f4dcef1e3241c0618b4b3788
-
C:\Users\Admin\Documents\CopyCheckpoint.html.ej93MD5
cd80df17c14acc5ce69abc45ef0632d8
SHA1cbb45639241d130f22719c64203d0cd93ef57634
SHA256e3db760b94541f627f5292ca3435452d6cb481251352cb1714e2d5de516c1f96
SHA512867b51239ff527ecbc130d3bf232434750189c2e19a6a8a80acacd2fe2eb915ffb5732890cb8cf9e4a9771478befc4ce1b3482ec0764de3db1aad01f82a78a9a
-
C:\Users\Admin\Documents\ExitNew.mht.yyckMD5
4c59b3efb7b35064f6fc8ff2ebebabc7
SHA1e379b367dde7564ca4f67db5acbc927b74e624f5
SHA2563389a879b2ab6b9fcf7e6003f66fc55c7c2c5c64300c8b813c65ce135fe4c599
SHA51218314d58763b2dcab90e9c992d6c3813d086c30ec92f1dc2bf88530e3419f0b32a1a09b2272e201613caf73f85d7d99c1419646cf63b94f92c146ac2d2d71144
-
C:\Users\Admin\Documents\Files.docx.04ohMD5
a1a6ed63af4caec676f300d79c056aa3
SHA13ae361a2202abf9c1ccc1ffbe70085a85243bd4a
SHA256c6d74a4267a5eea0ec25f12251af6b2827eb90b27f4ceda7896ed4c0c61c95ca
SHA512c7c26cf03bf94da884eb1f623f5197b2858dfad6ba505e33df48129c491a55eedba3bbc378785874a70b7528610a2fb2237291f9747c3fcc485a8ea8bab8a929
-
C:\Users\Admin\Documents\InstallInitialize.potx.7b1jMD5
c86db489d9d7641183f44972fba7ac7a
SHA137f00f21d56fb8fa1f76e685581883c5bd1833d1
SHA2567a5aa5e3417a5eea9e39623106a07631c7c92f8714412f930bdb0f459d295cc5
SHA512e8e1c3ae0c920839a1958a8d4d5abbf8e1fa554743c75930c683aa9248c5c5946eb84f09e28e988fa74317f84d223146f86d331d4519c38e92d12e73d3cdd334
-
C:\Users\Admin\Documents\JoinResume.xps.37swMD5
476ee6d411513f4f0f892906203ee5a8
SHA10aa1dec8b487bb4a8cc1d57be066d34c7ae6c880
SHA256a48d7d4012991dcb2da91bb417d9a608769c3d71b33785c231465a6872b4588a
SHA51288027fded4a2a5ba1aa0ba2794e2772b88080529f65e978147f4a922f6d17268bdc9fcd36a2173ed86cb01e76a37a3446936cf1b55a2d1c14528fc127e985913
-
C:\Users\Admin\Documents\LimitDisable.potx.1f1aMD5
2ea360b627f3f72f5699ea9eb4bd5014
SHA123215a01e858b80b08a34ac3094f74cdcf78e78e
SHA256d0b15d8bb748f5d5238aba9c88e412470e5a36f608ae5283b48e7f956d42e6c3
SHA512f8697169a6f2c71c9e0e74b4048beeeff6ae37ef4d405aa1bc7cfc87a655377863866930ecb911a31880dc3961a9f946b8fd7780fb75e29f413c08e38c19e479
-
C:\Users\Admin\Documents\LockPop.pptm.2cz8MD5
8d5a4b0473ec74587c5b49adc736c377
SHA1b608bdcbea73ee3b0f7af59304527cc5d111889f
SHA256a0fe9527b4af1a8dc283705333f2410c4e950bfdea595bd8de86c4b76e791d2f
SHA5127b4b6e42c5ba9984ba3d67ed5766f6357ffd4485d8244ae12320a93c6a6eb3ea0906c9dd2143cdf397babc5b2748f44fcc4205785eca2625b4f4d679bd1236a7
-
C:\Users\Admin\Documents\LockRedo.ppt.asmhMD5
8952f4979064377bc754964f91a899a6
SHA1b40be56cd49e26b1d3da321927fb5b3e024a6e2d
SHA2561edd9848a03e2bc6a4365b477e1faa8038bc4857dde99d1bbc1b2ed5b6377ac6
SHA512a8f98896b9a96d6c5414c252834e3e5ff8c8c23131a821871b4402bfa5a7c31ee1517c6ab11953e4d4cf9105b636718d95dcf2283c251bf670e4bcbedd30403e
-
C:\Users\Admin\Documents\NewSwitch.docm.ojdfMD5
16ce8f4684f776b664eb9a0e299ed172
SHA1f10bccc326d052d4de1b5879919074a173f95a9c
SHA25663d7d68b8c08965c9344fb6364b250625ac65509bf55904c347097ee0f884e24
SHA51248cd76c500643203294f31d6b2ca5807376d1930453daafa6473f970b28d47946c07db47d5a779f2ecb7045c582287606a0c1e849e88e297bb4cb2eb964d72ad
-
C:\Users\Admin\Documents\OpenFormat.wps.9pd4MD5
a0d3f18524bf884decbfbe8aaee217c9
SHA1380775703ab4f1596f00b5b1e18b88d7e73805a6
SHA256cc98e4749b3cb66ab3ddd62f2d53b88fbd7397cf4b5e18517dd97d5928195dd7
SHA512b10b6bac0dd441d5a4685a3494d57ab5c0c1e417581a02206b08c041cdde1a6aa94d8a5d0696557b5b2681e909b9250b44c56b26d8139421d92dcced79d8b41e
-
C:\Users\Admin\Documents\Opened.docx.1wczMD5
ddf79fff3beca8ab9f7b6165bbe85e0f
SHA1a1099772ca1a33f4664a2033ba9cbd4508332f94
SHA256ea78409043e109cd7240ac5955ee22b56c5be2223461be3152317af69dc955ed
SHA5126470e9e00067f88e5c683a95846238e80116a0a404c0f6666b1176fbdab6b99025196ea409aa946bffd018d3f2ff6bb00659cf83c92ae9902bcec473cef6667c
-
C:\Users\Admin\Documents\PushConvertFrom.xlsm.r0t9MD5
2500d80e863ea71dd5a1ef61654b3f2f
SHA17148a165c9e4b3aeea56248d0cb72395e6d542f1
SHA256bb328014d6b7a721f1a171f38355d29220db6ef60b7797ceab5a6ee052ea10c8
SHA5126c544c8a33eebfce4aa445d5104888afacfe749c84f8bd2f5a33858d5d374bb592909629e3a3f1232485566c2b675c22cd8b6f3e3378851d925091e3974d851c
-
C:\Users\Admin\Documents\PushRedo.mht.33xhMD5
4218fbde8b26547cf7cdf3cde98be61d
SHA1e121d23af4d17ce9ba6425059340cb4d24aab083
SHA256413bd74b4bce39a5ee59d9dc9e0664057e03e7017e7c2041b1147a191479a664
SHA512c42dd775906918bf38f71b43bbc3d62594a57211630211ebaadd17b3a08f2d2f33c57859752c404d952f9d5847b763ec3118b9d7d529c8e6c7c0238c8f46a8dd
-
C:\Users\Admin\Documents\Recently.docx.0ncjMD5
bed01b326da766584a1856957004f3c7
SHA16784fb0f738022c4942d48dec24335e2bb60dc20
SHA25604dd9098e8e0942c974ad69cfc3d802c46d4e65f5bfde6a6ae155d4222101597
SHA51206306bc8d4053d7898740ebe65d515fc26fdc5517d3a3ed638faf506a5165db047a4ed518a5235c8149c4f727528439f56c5cf3982a2e01139bbbe3033dcf0ac
-
C:\Users\Admin\Documents\RemoveCompress.xml.aprvMD5
91f77f26ce9230f7255844bfebe568e4
SHA16328526f5b9458dade79745752ed17ff714b07d3
SHA256485edfda361afc8674c27eeac874bba9099c58e8955735f58b4f74eab634bc85
SHA5121d21633d1bb73e0be59e78622f58aa6811343af2203f1f35837db8ef20e18495d63ee842e19b6300adad19762aa1862c571affaea44f8122142268f3876af5a4
-
C:\Users\Admin\Documents\RenameWrite.docm.8dkhMD5
4c0bc855d30b04e21b1241e993de7712
SHA193b4ece08659ee4a66eee07cdab78e57090d8622
SHA25633bda5303cb332de1ca4f93a9c09e0d0c74319a57f58b5b1c4f57e6964ae702e
SHA5126ca986bf99d133a2d2d8b536c6ff9c270782e1eecf53e6bb92bbb4f44cc5117032af7e0a71e3d604dcc5a3a37014c2cd56babea17ef1231be22f997c7ce866e1
-
C:\Users\Admin\Documents\SaveConvertFrom.ppsm.rh2xMD5
8a6fe1841c2a9558b4adc7c2014a23ea
SHA1864c5f99d76f288db7e7fddd624cff46c356323a
SHA2565d3d986251a8a267e70b3bb9ab7f2c6f05852164d22485020a88081fa72917d4
SHA512d8d7612aab2641f9e635eedf701c40b3bacf2fa06a8384dd0f72c65c9ba2028a0d58f2f96cb9affb09a3c28e56da6cea562d60d748acab2772b66faba9c41a1f
-
C:\Users\Admin\Documents\SearchDisable.dot.8wrgMD5
f4279cf01658619affdfe37f04784a01
SHA1e7be16b20a21be7f6db10ee1b40120a2709c6d26
SHA256b3bfe0044a7299e3164ab63ecfe1976762714921a8d66bbc3c652eb2cf83c481
SHA5122df2f4b6452a0e8e0be898dbce2bb7b935f57afe8aa9450d766b76ada200bf68421b8f806a8180428f85cf6636648ba5765680ebc69628af617928ac22cde3bb
-
C:\Users\Admin\Documents\SelectInstall.potx.43xmMD5
21fe71c91fd61ed27370dd5f400c4ca4
SHA1706a501c3bb836f1a2355a25b42d290c2663b554
SHA256fee759584dba8b5158f942889446617097f120e4e85fae75b2a6826cbbff73dc
SHA512659f39d9ae59b5807cc1263fce3b43c2c19dea9da029412d374f78d0a31e85b818e6765248edf7c251e7184efc0f45e8d54a3cbfff0ff10caed28a298c4dc23e
-
C:\Users\Admin\Documents\SplitHide.doc.b7sbMD5
04a77d614c0a276f11b41234723b7a8a
SHA1b1d564330d0dd47d740e7f4f9cb9aa786a583783
SHA2564dc90d1dd9fb5efb5ca73ab42cf151a5f4b442cde639ca86100c509abf372e7b
SHA512e142a75446f1fc0c79064cb8f6f0ab692af416f45a8d15c21619e8721564b4327ee7debc6889fd472a343f5ecdc991914ec42f94560aa202266242b4b755c931
-
C:\Users\Admin\Documents\StartOut.xml.szfhMD5
9b086b0b172a03590494701c5b6676f7
SHA15c486e1137d724eac4772da23d481c32581342d9
SHA256362e4b139e6eb9116cfa218dc7d363a7b06f5825ef4e8680c7bf6e3172a3b308
SHA5129e13877f784efc8c9363fa914633597db939c44c4a22fe10dd79f82cef197b4f16d068c2d81514fabeb179fcbf2e161bf8b34a6da12400bad43f44d1a1ad05b9
-
C:\Users\Admin\Documents\StartRegister.doc.4fqbMD5
fd6f3fc05d8d9ac12447ea0e74b36183
SHA18cbd2fb89e1844e5a8847ee27cceea4991dcca3e
SHA256a6219189b023e52cc0c7bf2ef6e465b791860fc753a3ee438c7297a197132a9b
SHA512e1b3c7bcd67d371a0a1747609f1587b1f732b59d471fe5cc76088e0b54fef5619fa7f33c1d834a5417685d57d077b57a8cc6e1e71392ec166075cfbf63a178f9
-
C:\Users\Admin\Documents\StepWatch.ppsm.h3emMD5
8381458a5324b6f3f2a57ae413a2958a
SHA17fd50adcc5e8c89e98de8a4a2b143443626370d8
SHA256628785c6876c483955b1c1680aacf2c5203cfc3fa869231fd473431dfb1d4433
SHA512f4dc01744a16ad6400b62c48dc95afed50cb4e9e32769377e27b6432fd43b2ec1a1c84a1c1878642d8a5f3387b0c2fe11536e426f9097345d5c76f8013038fd9
-
C:\Users\Admin\Documents\StopPush.potm.eq05MD5
a647c4168c7390b353b7bc9611b700d0
SHA10f93d87998fc359001c4e3db446c25258595af7d
SHA256765e787c5a7b868e0e39505fd2a93306046c81de0ba3ceaa3c51faa62df1b3fa
SHA512a217290c0ba666875014e9078740b92ba5fcfa93d80880732e80a0644619d727cd32c9d29cc24e1129221d9177f572ebf68310b8769aba69506c1c216743b267
-
C:\Users\Admin\Documents\These.docx.f5mjMD5
a6cbc4e9c5fc7bbd575b1b57c0c9ec30
SHA1337985a29b92dd7233705688ac72c4feddbec9f0
SHA2562deb15cbb9fb2770c18130b35a59815379bb61e249d8ec142c82ebdefcd576d8
SHA512909103d43182dc5346b2baa40dd014b00137dbb8e69d90b85ccd6090a0e59ba03fa600293aec6ec666a109c3f4f9e4cd49b28ca5e992d7c6c18e66819d4c0b15
-
C:\Users\Admin\Documents\UnpublishProtect.xls.85bgMD5
39b45f7a6319e15a68c662c858d8a2f3
SHA1991e60d99e3af63d17f98fa5d613c1f054c07cb0
SHA256862c74722775a5f099194b71b75ab30234985f4c66a8b3a45494acf32130d73e
SHA512eb2f5b59825b915d4b22386455389b5b1f8124d93c8fee0d16a3a2c81bec9148f64b2e862ed108f6cb90f0de8d67028c05b319f0983d242070d3cf61e9447811
-
C:\Users\Admin\Documents\desktop.ini.o2pkMD5
2c61eb49ff41a9a3cd7d4f0840c413c5
SHA1d43c3e0081547f5f292f332ba68d1cc7dd235c5b
SHA256b0c882dcb9cedb816ff8c1692a1d716c34f55a6b44f656f7f8f0d470d9688225
SHA51253094153e1723ffdc251277a9363660e48665fb9061f6f7c65410627ef971ae9ab8fcb584ff15f6de2186ae5645b5200317193ea2806a0b866ffb82cdf671d6b
-
C:\Users\Admin\Documents\read_it.txtMD5
4217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740
-
C:\Users\Admin\Downloads\ApproveStart.wma.lqm7MD5
4e7d4a028dacb5d31128deb9aad98375
SHA1928bdd530644a416f3a78806cb9773970b22e539
SHA256018651ca4e1b023d23315029054b1096f9416262d770f41a92fd843f35447d3e
SHA512044beffc8dbd3a853c8b64ec8d777d7d1c71c35b5526f7b7b929abac53c064842fbffda6a2d48ac4a088b8b0cf39e9b6711d30f01a929e31b1fda7962cef3b74
-
C:\Users\Admin\Downloads\CopyPush.html.00hdMD5
87ad89c105a53f3372177717f0145292
SHA1d7ea8e3e2585d6228c0206bcf3f98b00dc065e73
SHA2568820eeb27a695e65979ed77d403e853f972e012b224a3a825d5b6527f546591e
SHA5129eb1e93c214a4496844bf2de33ce6a584c17bbc81131ead2741a5d8823ecc908cbd4d6ac3737e479252d0ac7b306ec1907a60d8ab35b2fbd2b541f5cdbbb0dc7
-
C:\Users\Admin\Links\Desktop.lnk.6zu0MD5
7e24be6da448a76ccb98154293082679
SHA178c2eb92e2391cc9ff2c5a27567876f80cd1ed90
SHA25646dd9571147d64dadab1143786c681982d4dc527b90262b95fd7c5b30584a09f
SHA512fe9ebaa8ee6409ba32d3016f8819d8f7e458133908b02e453416e218c8d4d2aa51d2b49b454e532b2e4b6d7bccd6f580bb505a92ce5d9face6dd9e5657722887
-
C:\Users\Admin\Links\Downloads.lnk.ud9qMD5
95a72d3b037a0fe1ef9d1145862e1e07
SHA114f0d35a7b3727ca52d8852c6945495d6a2be9be
SHA256174f47d95e702bcf1723f70e0f919cfc3fd9e878dba4484d47364e9cf9a030f8
SHA5120313656a67eeaa27efb8f984d89dc0fd43f6c2a7b37190d9822ec581bfd451f7ed63ef7e07ad114926102b935fc46f5cf385e1c31935801e12f8ea5e1432604a
-
C:\Users\Admin\Links\desktop.ini.xr8rMD5
c2b51b7225f0fa2d2c2a7a33fb5fab28
SHA1737f06c08ee6ba80d546f2f45b8a2e3e44637509
SHA25607c5118cbc37383e75248f63f9e1955c0c458bd9341c8e6f08fc51370a6d77f9
SHA5121a2c2b1ba229c0861d65d4da07d193bd7988bafeeaf927c863a889db8c1bf05d4db32fb74858a35c644cf390ca25bee9e6cabb1ed8fc7ef941337b49e174378f
-
C:\Users\Admin\Links\read_it.txtMD5
4217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740
-
\??\c:\Users\Admin\AppData\Local\Temp\qx1ftn2b\qx1ftn2b.0.csMD5
ba40fb4894bce0834d42fd754a90ef58
SHA1a4245e8553219758a964800c2f156dc81d7d7b81
SHA25677f4def79e1ee43b091b1df15dbbf032227415135e907f9a4cee93ccddbf696e
SHA512febb3682c1a9a22fc2073cdd00bcf45871787ab08f9349452a0f5ef3137e5c17cb0565599732d25c09663772f82422f087b0ff5b580dca63fbe093e098a9d611
-
\??\c:\Users\Admin\AppData\Local\Temp\qx1ftn2b\qx1ftn2b.cmdlineMD5
913bd9bb9f62a9ed62a2e566282e862b
SHA16a872b2c31a5699e5b05395723baf2dcf71c923e
SHA256ed09470ad18b857f619fb2abc4ad447b249f7e71c21ce551351bfdc84fb64096
SHA512e04849eb2ce661b27a24e52e3291eb26df51c3b3e3f5e2bbc6827f72abd210be7129e135f3ec19859ae32af82629cf33149528ab80bfec9c9ea8f6f1b3877edb
-
\??\c:\Users\Admin\Desktop\CSC182DD043AD604E74BBA19C8E59C89B41.TMPMD5
e435cda305139db4ae0dccd168dbeb72
SHA1aeb4cfab2d00c026fa7e6c91b0c7f6809d315cce
SHA256155b4ec940b44148f63ab5e76938986da34f2f113d5d888b0b2ca2d3c7ce1bdb
SHA512b8bbe3feeeec54ea387dc9684ca97d5e0be21b4dbf5861b977d2d17538175670dc81fde4ba6be3d0e1871583c947b25f6bc03929594a493617e1159f98dd2c3e
-
memory/508-144-0x0000000000000000-mapping.dmp
-
memory/740-118-0x000000001B524000-0x000000001B525000-memory.dmpFilesize
4KB
-
memory/740-119-0x000000001B525000-0x000000001B527000-memory.dmpFilesize
8KB
-
memory/740-116-0x000000001B520000-0x000000001B522000-memory.dmpFilesize
8KB
-
memory/740-114-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/740-117-0x000000001B522000-0x000000001B524000-memory.dmpFilesize
8KB
-
memory/820-128-0x0000000000D40000-0x0000000000D41000-memory.dmpFilesize
4KB
-
memory/1124-139-0x0000000000000000-mapping.dmp
-
memory/1316-138-0x0000000000000000-mapping.dmp
-
memory/1708-123-0x0000000000000000-mapping.dmp
-
memory/1820-140-0x0000000000000000-mapping.dmp
-
memory/2156-155-0x000000001BC80000-0x000000001BC82000-memory.dmpFilesize
8KB
-
memory/2156-148-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/2184-142-0x0000000000000000-mapping.dmp
-
memory/2824-141-0x0000000000000000-mapping.dmp
-
memory/3268-120-0x0000000000000000-mapping.dmp
-
memory/3460-136-0x0000000000000000-mapping.dmp
-
memory/3652-143-0x0000000000000000-mapping.dmp
-
memory/3672-137-0x0000000000000000-mapping.dmp
-
memory/3716-130-0x0000000000000000-mapping.dmp
-
memory/3716-135-0x000000001C302000-0x000000001C303000-memory.dmpFilesize
4KB