Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
292s -
max time network
303s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18/03/2024, 13:35
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Hacker2425/Ransomware-Builder
Resource
win10v2004-20240226-en
General
-
Target
https://github.com/Hacker2425/Ransomware-Builder
Malware Config
Extracted
C:\Users\Admin\Documents\read_it.txt
chaos
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 5 IoCs
resource yara_rule behavioral1/files/0x00070000000232b3-216.dat family_chaos behavioral1/memory/5828-217-0x0000000000C80000-0x0000000000D0E000-memory.dmp family_chaos behavioral1/files/0x000700000002346c-283.dat family_chaos behavioral1/files/0x0007000000023473-720.dat family_chaos behavioral1/memory/5488-722-0x0000000000D30000-0x0000000000D3C000-memory.dmp family_chaos -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation LOL ransom.exe Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation LOL ransom.exe Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.btho Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url Decrypter.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url Decrypter.exe -
Executes dropped EXE 7 IoCs
pid Process 5828 Chaos Ransomware Builder v4.exe 5488 LOL ransom.exe 5424 svchost.exe 1460 Decrypter.exe 2676 LOL ransom.exe 4980 svchost.exe 5828 Decrypter.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2727153400-192325109-1870347593-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbs6greww.jpg" Decrypter.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vgyu1fyed.jpg" Decrypter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 msedge.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "3" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 Chaos Ransomware Builder v4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" msedge.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 msedge.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" msedge.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e8005398e082303024b98265d99428e115f0000 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell msedge.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" msedge.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings firefox.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Chaos Ransomware Builder v4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "4" Chaos Ransomware Builder v4.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{93592ACD-8709-4918-8F2A-09B5F732F646} msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Downloads" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 78003100000000007258906c100052414e534f4d7e310000600009000400efbe7258856c7258916c2e000000b23202000000070000000000000000000000000000009c075000520061006e0073006f006d0077006100720065002d004200750069006c006400650072002d006d00610069006e00000018000000 Chaos Ransomware Builder v4.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Chaos Ransomware Builder v4.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Chaos Ransomware Builder v4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Chaos Ransomware Builder v4.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 5464 NOTEPAD.EXE 5920 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5424 svchost.exe 4980 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2324 msedge.exe 2324 msedge.exe 2824 msedge.exe 2824 msedge.exe 3132 identity_helper.exe 3132 identity_helper.exe 4656 msedge.exe 4656 msedge.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 3084 msedge.exe 492 msedge.exe 492 msedge.exe 6092 msedge.exe 6092 msedge.exe 3956 msedge.exe 3956 msedge.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5488 LOL ransom.exe 5424 svchost.exe 5424 svchost.exe 5424 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5828 Chaos Ransomware Builder v4.exe 6092 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeRestorePrivilege 5600 7zG.exe Token: 35 5600 7zG.exe Token: SeSecurityPrivilege 5600 7zG.exe Token: SeSecurityPrivilege 5600 7zG.exe Token: SeDebugPrivilege 5828 Chaos Ransomware Builder v4.exe Token: SeDebugPrivilege 5488 LOL ransom.exe Token: SeDebugPrivilege 5424 svchost.exe Token: SeDebugPrivilege 1460 Decrypter.exe Token: SeDebugPrivilege 4680 firefox.exe Token: SeDebugPrivilege 4680 firefox.exe Token: SeDebugPrivilege 2676 LOL ransom.exe Token: SeDebugPrivilege 4980 svchost.exe Token: SeDebugPrivilege 5828 Decrypter.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
pid Process 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 5600 7zG.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 5464 NOTEPAD.EXE 4680 firefox.exe 4680 firefox.exe 4680 firefox.exe 4680 firefox.exe -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 4680 firefox.exe 4680 firefox.exe 4680 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 5828 Chaos Ransomware Builder v4.exe 5828 Chaos Ransomware Builder v4.exe 6092 msedge.exe 4680 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2824 wrote to memory of 2912 2824 msedge.exe 88 PID 2824 wrote to memory of 2912 2824 msedge.exe 88 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 4836 2824 msedge.exe 89 PID 2824 wrote to memory of 2324 2824 msedge.exe 90 PID 2824 wrote to memory of 2324 2824 msedge.exe 90 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 PID 2824 wrote to memory of 4128 2824 msedge.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Hacker2425/Ransomware-Builder1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd0fb46f8,0x7ffcd0fb4708,0x7ffcd0fb47182⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵PID:4836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 /prefetch:82⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:82⤵PID:3788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4632 /prefetch:82⤵PID:540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:12⤵PID:5956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:12⤵PID:5964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:12⤵PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:12⤵PID:980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3908 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵PID:3512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:12⤵PID:5680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:12⤵PID:1624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:12⤵PID:5296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:12⤵PID:6128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3460 /prefetch:82⤵PID:6068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5684 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵PID:6040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6464 /prefetch:82⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:12⤵PID:1112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:12⤵PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵PID:5384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:12⤵PID:1872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:12⤵PID:6108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,6026185358866343928,7051027757293487731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6592 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3956
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:992
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2568
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5208
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap9664:104:7zEvent58921⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5600
-
C:\Users\Admin\Desktop\Ransomware-Builder-main\Chaos Ransomware Builder v4.exe"C:\Users\Admin\Desktop\Ransomware-Builder-main\Chaos Ransomware Builder v4.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5828 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\chqabunh\chqabunh.cmdline"2⤵PID:5768
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93D.tmp" "c:\Users\Admin\Desktop\CSCC2F2DD17484343A68E51FF61DA772CD2.TMP"3⤵PID:6120
-
-
-
C:\Users\Admin\Desktop\LOL ransom.exe"C:\Users\Admin\Desktop\LOL ransom.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5488 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5424 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:5464
-
-
-
C:\Users\Admin\Desktop\Ransomware-Builder-main\LOL-decrypter\Decrypter.exe"C:\Users\Admin\Desktop\Ransomware-Builder-main\LOL-decrypter\Decrypter.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:640
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4680 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.0.1848531638\771005402" -parentBuildID 20221007134813 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a079c0c0-a008-4691-b697-d21f15eb090e} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 1944 14cfecd9358 gpu3⤵PID:4092
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.1.196734479\895167804" -parentBuildID 20221007134813 -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63cd6964-35fd-4966-8b2d-957339147059} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 2344 14cfe643858 socket3⤵
- Checks processor information in registry
PID:2792
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.2.274380909\1085613897" -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3244 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ca66aa6-5c22-4239-9a0a-12949923e3e4} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 3260 14c8a5fbd58 tab3⤵PID:4200
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.3.1654493506\62004897" -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 3692 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae16f8cb-0d90-4d11-b370-3d1b263f9d2e} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 3704 14c88f52258 tab3⤵PID:456
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.4.1033532278\1227856169" -childID 3 -isForBrowser -prefsHandle 4068 -prefMapHandle 4064 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efff556c-46cd-4f2b-be24-a53bf6087193} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 4052 14c8b7fa858 tab3⤵PID:1960
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.5.1812144367\473810913" -childID 4 -isForBrowser -prefsHandle 5076 -prefMapHandle 5060 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aeac93c8-22f8-4c64-abc5-f9f1b449afdd} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 5088 14c8c5db158 tab3⤵PID:4864
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.6.1456946285\360004421" -childID 5 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37a2cf9c-6f3a-47f7-9ed3-9f6d17069e54} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 5152 14c8d08b558 tab3⤵PID:5312
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.7.783069825\5653722" -childID 6 -isForBrowser -prefsHandle 5356 -prefMapHandle 5360 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1152 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f6f9f94-c3cd-4a9a-9cf2-e32875ec3e53} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 5344 14c8d08a958 tab3⤵PID:4508
-
-
-
C:\Users\Admin\Desktop\LOL ransom.exe"C:\Users\Admin\Desktop\LOL ransom.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:4980 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:5920
-
-
-
C:\Users\Admin\Desktop\Ransomware-Builder-main\LOL-decrypter\Decrypter.exe"C:\Users\Admin\Desktop\Ransomware-Builder-main\LOL-decrypter\Decrypter.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:5828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD573c8d54f775a1b870efd00cb75baf547
SHA133024c5b7573c9079a3b2beba9d85e3ba35e6b0e
SHA2561ce86be0476a2a9e409fcb817126285bc4ad83efd03ee06a2f86910fe18d4d94
SHA512191344f5830cfea68499bd49073ffa7215a42265a9629d203d07849b2417c0ffdbdbf288bf2c669e91009a0d7e8bd6a6b378c92fc283049141231ca7bf4da3b8
-
Filesize
152B
MD54b206e54d55dcb61072236144d1f90f8
SHA1c2600831112447369e5b557e249f86611b05287d
SHA25687bf9a4c3564eb3d8bef70450da843ae6003271222734c4d28d9961c52782e0b
SHA512c9e8d2452368873e0622b002a0c2f8a2714b5897a09475738a9f9740122d716a9f0d3841725230d58e039564c820d32a6f3a675a7bb04bd163bab53dcb4e22f2
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
69KB
MD5a127a49f49671771565e01d883a5e4fa
SHA109ec098e238b34c09406628c6bee1b81472fc003
SHA2563f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6
SHA51261b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734
-
Filesize
32KB
MD53baf7c2e036abf00bf52d8e4a918e970
SHA10eb5406e14050dc41227ba74b64a38da778fe5d6
SHA256d30dcb199ca26a9664a46c01b4eccb26f5b8682f04480d0a9d2beffab7d0a049
SHA512c12875c0e5085f534496ca9f1f43bc4d5097f6d4d969f70ad1651bf01bdd4e9f5e27c93413ef0589c06c647c0a22d8c4b7a2ffbda2fe61bdeb84657f53a6a429
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD526d280911b987657964fd2208056aa00
SHA1d08b8b3ae8393fd92f500655520e5aabd3aa6bb2
SHA25633708d5607b6b1fe1a40a1541bce732128c7ee08077948cc2b198db42ca10391
SHA512792b75e4664a28d8d9bd36b6424974c7d9bb8e21f3ddcc2acda53bb761ee130b322056666e8f6f1e69fe529d537d01589bb8b0df7e0453dbb7b659c4eb69c6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5c0f24952a22f2489f564693342c83a31
SHA17142abc93a2bfbfca6a65c4e33b3a9d7b2eaf7c7
SHA256e9ca34a52c8543095316b53d041434ca6a281fb7d108f0d89e50e13d389491b3
SHA5122c5732ef46b6ddd2d36f80f75bbabcbc269aabc94978090455a5f3e25f7435d7e220483bea2351ad586954229974963b5c988be5d44d6b2117bc83d82d9ff008
-
Filesize
573B
MD5a6d346f58cbec0a6e4015327b25f1537
SHA1750056e65a8b1c20b1a6051f5adcdf35821a6ac1
SHA2561a715b1b5b62ef83ca8c62a18eddb3b5b6b738be2c654ab7a38cf22fdc8bea56
SHA51274e563217a28cd6427739731f51ba2e35ee060c8ae6959d458d06a0416e17ffc6a49f8d0bbcb8d17cef144a45c36eb9f3b92305389ab0cfc5043f530d9f28d89
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
573B
MD5463f615865d92339eb68e23cb603e539
SHA11caff5854dcc2665be53c36fafe53602f39fbadb
SHA256a71ea36b4801d34a72d4cf2e6697acb39eb69abbf866461cc64d84133710759f
SHA512f77f957a18753ea34c90d48bc81ed4a6ff65a8c42036d2ebc622ea4e5bb7a4d76eb1e9e6367d765edba69e83c973dac2670a97cbee3f95d08259ef667cc8b5a4
-
Filesize
1013B
MD52e8fad7d0514c645feb88163368d2ea2
SHA1d694abcc7351579d92a29060f59dddb4dccc1c00
SHA2564d9c1bccfed0bc41a2d5597987f9705e5e708d132d2201bcde41fdbc3e9c8347
SHA512607bdeed24216fe8c3c11135c11a8bdd327600b79f91b53425f97542e58aa5ac02174279451587e4a76b867f785a751fcf2b91ab4c57a475848ee765e3f6fd75
-
Filesize
6KB
MD51160358814d2d3acf9c172cbdc71d470
SHA151e8e2ef259b99a3f4c855be7aa82ba0ceffe3b4
SHA256ec13e95a3cacca325527e64500b238433ae8f08792f018235d84a05eb381f2c2
SHA512a01da71236823ce47dc553622c5dd2196e704d98df7ba15543c4926060343c520a50f8e40c4b3be2ddfa27ec175f386732d060ddbde393ff578e58df92f22976
-
Filesize
6KB
MD513de4d9bf5615be7d582980f58f71160
SHA1f920348d9b91f095aa5ce90b87b4d3a2d96e3130
SHA256296eb4644731fa7dcf61966bfc759078548f8f65e8438f9a2350892752e0c2e3
SHA5127d56c3025b94df59f37021902949c511405f26951e686b2a6be5625dff179dd1cdcdace64ad0495534c4a63dccaf8843ffe856877680db8fc6ebbf027ad9ab3a
-
Filesize
7KB
MD547af57de259be87991f1352b0bfd2586
SHA1309e5ac652ef074b3635e54ee8b6621b81395072
SHA2562200e630c2e736720a2cc6e11b072923896f67f69c7d9a3cd80a6d592ef53bb3
SHA512720fc1cbc1b2e13e27cde44cbb3b4ecc18c463bb646e1c5b778650e9680eec1abab742beacf4c6103dcd8a3d33b94211256ef68fb5c71c91ae035a6983363030
-
Filesize
7KB
MD55f8179816ca68e840192ef118b001252
SHA1952207dad1cbd34c24778d6f748034128a61be4f
SHA256d91f36ecbe5c44619892ddc28f564e48bb0ec659bea864fdf51bb534f4694be6
SHA512555b727233b7e353cd6169278fc33727d2d8e704784124a5f5fb7d9a8d9ec592c41642cb3943b10d46c032afa2720fdb1264e0292704b83b27b32c0a9c4b3afa
-
Filesize
6KB
MD5d01cfff5290d82c18b7b7f7812a082a7
SHA1c132493913e3ba42f3960bfb5c3148bc6fb5fe70
SHA256bc0da9cd18fa6e1bb1a903bbbb8d6744d5840ad355594d6360c85f68488a6965
SHA5127323aae81ed579f6d1d2eef7c590404b362247dc99c56468ab9cbf92567976dae7c7aef2a800cd092860465f8c2b54b389d72843b5b525d098b9883058ab264b
-
Filesize
1KB
MD5fa163b9f462b6269e1320896cb6a39b9
SHA11bcb387f6503a791ed0ea285ac4a24eea925be22
SHA256226629cf1c19b9239b0f091c50de1f0b7c843e21d034f299bbb01f78dc44df33
SHA512d65d5e79142dd97f71926718469e8adc8ae8d9dfccf0afa20a2b7936748e0dead29c99164c4db24e9475f8bfc179ca538bc83000cbee5531f0a973583fe8df55
-
Filesize
1KB
MD56250c2b5df87ac1834eed7fc0ae5d8a5
SHA115e9f3e191be0e97899d04383b59ae0b8291ed41
SHA25683ff190d7eb06da52353528fcf085191abd5c2f4b4d73b0621e39604770297cc
SHA512453defdc77b886e5f3325f48cc4b9b5f00169dbbb8fa372e52072df3c67535a362487dde38ad70c5f8279c2ebe41bcf225268e7dddd6cafacc5f1285b386537b
-
Filesize
1KB
MD5de71f3207eebe1816e174c3be36dbbaf
SHA1cc33f2a51e97a990d8f0b07227f9660130749753
SHA256e1bc07e66248d932017543f78e8bd42871cee2f0dcbd5d72a6ae7cfcfa95619f
SHA5126cb40802c5c7ca9a83c731ad2c48e257ab5d18742204f13e36ac8285dbe2d257ec2deda48128ab3485287071027c04678ab60e73b9279f1f12263b15e103f102
-
Filesize
874B
MD5e7ebcad19bc3f5f50c3d77f75dc0d508
SHA16ed4a8ede1fc4af956045bb8b8a14c920356c8bb
SHA256e4dd6e309768fd3397f06d08498606d5469f09c6498e4e64e8de066a5733f195
SHA512c802b790a82961b7e4f9c8a6aacdcd8563058df92a35a698099c8aeb1815a02c24b7c737a128f0af41b1f8b15e6422b9871cef293b59e2341e40640157566067
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD537bf6d1f7d13b81598de3002486e0d82
SHA13bfdc96e07a92c6ef0cb22292da8c411baefb708
SHA2564c99da24783ea46e42388ca4a5aefc031159cbdf86ec6be56feeee024ba4f490
SHA5127c1784c3054ff5cf5ad4946fe141a594990dcc3504e3651c5d1520448d123b6bfc5222f6bac5e2261e9cc48e8998f2cb54965a54ced2e32fa8a6ab61751b4817
-
Filesize
11KB
MD505bc1eb5908653db3b98749bc897eb8a
SHA1b8ec6f848668460992ac5ce89c21f59017320448
SHA256db657b8fcb3175e80592d92ac538f97f0279f42fb3c2c358b0ebae7506d261e7
SHA5128e5cef52a1b9b1fa0fd6592e5c87a15a0c9530a15a1c5b1b656320a76d107b8f0a2f5ad1b526bcc2a2743557dc9a59929e20d82759133e1dec040e863e90c668
-
Filesize
12KB
MD5227d3413339d00ec3940714182f81a86
SHA1610c8b7c0e91d382dc799ff6bf3343bff4082b77
SHA25687bcebc7d4487a822feba888d4ef8ebd01dfa7ed1478ed9dcef1f9f1cc665836
SHA51207e5388babc5394eaaba0c374b3f803f097da8f45d107e926fce1e0451fc405350b8443cf66c2cc1ac463e69d3ae030e04237864d7e392a891c0d19d14b614a6
-
Filesize
1KB
MD582a64a0ebbe57aa1b9147caf06081350
SHA15abe8c0bc41e6b92b7d3c837828c34b920d1699b
SHA256153e44e35a777df8230ec98139257cddc4aefee799b283fc4ebc651a2b61c0e2
SHA512d7a54f0a515251a940e991e6c44d1b2996f0713aab7931dbcffd5a3d70c096e634ed8b82f9abdaff3411fa7f46e2fb517b203b680e889784866800bddce550c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk.6pv3
Filesize407B
MD5f727cbb9351106b2dd46f3ef649f3176
SHA15732055ec636a4706c6da6857ce1c1ebc1bc86e5
SHA256cf116b33831de9f80847abdb2a0d92ab3d3f956a8e209ec95d35d986eea8c7b5
SHA51201dffdcec62254701b9523bca7f572c1f5a5328a18c01fd6590721aded39d86db801bda23bb83b23876b67101991426a5c54087597971206276eeb18dd70f6bc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD53a452fa4f65408c20c6673bf1c510a48
SHA1594ae9dae87ea98d0b3335fe954bb5c04402754f
SHA256ab72c283dd9289bf1f31309218ae41b5b14553b0bb137f55841f90f3695de217
SHA51282359c39503921c210046c7e51e46fed2b3fb9bb0d412c6e3e36268cab5b11642df2fead52815f09a2e1aab44c195951b53cdb7e354b10e1c44bf75915c26c04
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\datareporting\glean\pending_pings\875dff76-df06-48f9-9286-464bb5366f9b
Filesize746B
MD5575b503baf7e045cfa91dc086b918da9
SHA1b4a4f51f9ad52c2a9e93a0b790fe408eb64f7d25
SHA256fc8f29bb7579df38f501da3f8ad3b304adf17482a87cace2b2809e58075d4c6e
SHA512fb9d4abee49e390c3adf8e696eebfb70ecb6f0e355880e86d04a1036ecfdaec8e4c1f4f511e67b86245057202f3400cf813fb35a0e96088ba2135167b19dee3c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\datareporting\glean\pending_pings\f085b9bc-238e-4b4c-bbc9-5755b8a6f3fa
Filesize11KB
MD57729e517c2afca6b94fa83163805f718
SHA17b02e30c2af7ae4e084c0e7090a9e0bc2fdba63e
SHA256008f97cc42fcad8c328db1dec9809fd162814839b2271efe0085001438704337
SHA512c0af8d8d25343d972aaafde13b49fd8f4a5c19c330e14104cf8d069b77465055ef9280292e4d9c5a41d8cae52c90a3756a61ae6e34d448c5f412e99c0f89149d
-
Filesize
6KB
MD5096ee28c07f4a48c57ef853326fe3964
SHA19c821ab9726c271aae0ff483d607a37e7b8bf957
SHA256be9eb319aab58f5bd428b8872bde713041730a6decfdb375a978dc553a9df07b
SHA5121ef088d079bed7c2cf135a41260fe1b46c3952989e8159ed33bb2b552610ee2d9b2328017c8368c20b3f28f6c7394130d688d3e46ac942acffba6a7dacc2d03f
-
Filesize
6KB
MD560e6643d161a37b273fced8789013511
SHA1585e3e659fe2d26e28de377309aab36d0b67188f
SHA256303f6b074bbfeeac0fa59476207ec095dc026fcddbe60d066233709405bed334
SHA51232faa14755589eb6965912e03247fd7b88771e15b5ee042180109c695562e0c3c217c1bba591fd765f915ea20f06b1f788c7c0c4554c04150cefef291b678be0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionCheckpoints.json.d14z
Filesize288B
MD5948a7403e323297c6bb8a5c791b42866
SHA188a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA2562fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA51217e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\sessionstore.jsonlz4
Filesize882B
MD56af7afce6ef50033ab10ef58b0cedc43
SHA18e5c6821d08e24a4ba8c88714da7d8cc2ba74bfc
SHA2566c2f261ae65b16eb12c2caa43622e393951958083ec2fc81d5a83da6ed9ae10a
SHA5125ba9a2271d9ea9b43bf2917a7bd994bde7ca8afe62cbd9f7f23b25180f3bf0f83e8bb38dfc1261a93690776817c11fe4965dfa984448b17af030b748bd242344
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tooqwtv0.default-release\targeting.snapshot.json.pthn
Filesize3KB
MD54f4a0943b5784fe752d4ad1a73a21254
SHA1fbaf30a8ccb7313b0f72a29b2b1b0ac303184cb7
SHA2560e1cd524d7d87bb6bab636810431fe147fdbae2f69711ab7c06916e809a913bf
SHA5124980e0e8e13e41a6e8545788befc7ea2289779079194e2cde8deff9797fe4bac0de9078e13d6b0a12a92db38db409f57f648f83194a2fe89598ecd8215da6010
-
Filesize
120B
MD505e1ddb4298be4c948c3ae839859c3e9
SHA1ea9195602eeed8d06644026809e07b3ad29335e5
SHA2561c2c5d5211674c3c8473e0589085499471399e53e9a85d7dd3b075fef6cbb6be
SHA5123177b48cd0c877821419d7e5eb247a4c899bc37258994f22257ceaafefb316e6f5959faae02e380e432d7752f0218d45d56d6878c1e751d201d9fdb3ff98612e
-
Filesize
756KB
MD5f847b94c984d36a02bb47e44b384943f
SHA11be95b299f07ae1674b9c4792fd39de035c783d2
SHA256e9ad6e2b4fd47e73b80846b5d04209eacf577b5a226b71cfba3d9160b1963622
SHA51245023900103e3bf31c96cbe9e711d56f2d74a9969e3772396b789472c9590ee82fe4c0f7990721832e4be1d9c8cf110edfdecbf8d867de998114f0ca36199071
-
Filesize
1008KB
MD56fedf1db0933ddfea2195f02250e11e5
SHA11faa3945109960df7d6a5329a3f916e728374887
SHA2562e24cc807d45f0dc3b33e5b0342fd86a046650702efd35377f240e6576d11e9b
SHA5123c87e566ee11355460992c64218e6e4f133da6f4e146663ea71d8eaeb192e2f06b3f9c67f9485e89913d29361c7cd8647fac98809b8a7003994066447b896074
-
Filesize
493KB
MD547173dbee39ba716734f8f3aa397a6a5
SHA1b0abd41d3f022caa12698e4fe441a28835e63faf
SHA256152e02128484d3c7f68cedb1557c1a6011a9c806ff9e4faf20a92d02d0d3be69
SHA51271641de17f21b996a016c16102972f7cd55ee556c136e779aa4db4840ba669e912a8efffacaed95e56315b75846d9ea3f281fdd263e978b4a310d054b61700eb
-
Filesize
657KB
MD52f5ebb723f51eee6b0de3335daff7d39
SHA15e8effb1117c289ea6789fd34ad194a67455f88f
SHA256acc6cc32f0298f59a5f2acc28714b4b43bde03f8f7a54d3a8bdffe59e1653896
SHA512fcb6e9175ce0ba1d05a33e06b62b5698ff7eefc6c9ab1679462d44cc310391e5799c3d4a9d209c9ba5ba26d9a9285e4286717c9f278597167dcb0faec2e9a6d7
-
Filesize
690KB
MD5eb0214ad1f3d84179d5f026481c99885
SHA15f019527e21fc8ea04e4f3309a0c4f78523b1f42
SHA2566326e9cb9663b8cfe137455564b2c198fa3a1126d3554324a5a5cca1c8f34e11
SHA512e393b46eaf82674e32e377362186618966524159826a69cb30c753821257dfab87754652049fb7b6d4c56af836fde62f9223e2307e42d36f58e19d2e810464bb
-
Filesize
920KB
MD5018d30a00c997aaad803d1b750cdb229
SHA144788f156b7eab7830f2b1c2cd1d4063e479e38f
SHA256b4076065305cea82133723e3d69a2552e6688186268a7d14b01cf44afbd7416d
SHA5122ba939198a9a34417c8aa21ad7988b7a94c1b8c05c2885937a52d6a75416baa302df72dd72e083ef4f36fb5cba94c80f7d3d049841ab0c9fb26f6493d5faa43e
-
Filesize
602KB
MD59239fdca5c28ab2311c81b4959eb8a04
SHA1663efe77f725e89ece06aad2df978bbb0db19489
SHA256af38a0773d14009734699d72a2c868d2c35ce772542a7938c3d14dbb2f610e1d
SHA5122f254333bdab537503159a57a593f55a55d0554f6dd93fb6121fc209943ad2ece68e1bc57bccb195750f159bf156fd66d1093e60bb893529007568e05c622f02
-
Filesize
803KB
MD530eab1a3bab5736e8dd5ba3c01da62d5
SHA1952b3c76e4e4cbd1424fe3011136ddab8a1616b6
SHA25687a1d0ea3acd5f739d6e43ec5c1fbcf691a2b18ad7e9275b18f28ddff8fdffdb
SHA512b93e323781940f97d0c9891d2472243c64dad9ba1c1d2a135a1a66cc47867df75802fcfd208edb9ce5a908abf2434b1bc001f1b4695eec3be49e422378e23806
-
Filesize
317KB
MD5e36d14a59bb9a0053e9866877b5d6427
SHA14046e93547786f51c2daaaae99ac2aef872a1eb6
SHA256f0989fb5f0bae7be3cb602dd712160932ec235d16d5ed588ae2a742519f706bf
SHA51236b7f8be5684ca8e5bbdc359b8d61c6770c31b76a91e295ddbb47ec0089b5a32ad1b391b423b0954b50a9cabdc573508bee349a8ff4bc8aa79af0eba083ee442
-
Filesize
423KB
MD5324c347e19c6239619546282cc494402
SHA1011d594654a80c98695de6ad45902250cceffadd
SHA25606607f0a0b006fd700fc29005c116bd70945cb3feaaae2109b31186501aea443
SHA5121838a35d101789d3e1d676364ed0143da1cbbcd466f20d7195e0187415880e01d31cb9d42ee15ba799fc1943197b31f43d27ddf5a13466c842eac978a74b5a89
-
Filesize
909KB
MD5ae84a049562e3ad91c15c825004c8fb6
SHA1e7e31208af0e6c13502f2178b20e9adb34ee896e
SHA25663c6f6d6893ad91f1e703fd3847bf32b3e89a800b4502e4fc52d5826e1a8d1e5
SHA512271f067c99e3e7b923d0cc5af4a5adb78cf68671f37b9f74a0c0de90be5cbb6571d0e9db05cd66afe4ef5a9c9b9aa9e3dceb7500be9183bbf09bb52a98d4abd6
-
Filesize
1.2MB
MD591ae42fe8b03681e59c5ae020b1eab0c
SHA127e1bb93ebbe16aa324a026119b5589f75b0c78f
SHA2566d0201ba9d9ee6aa66943a6a7fa892d4e9f3dbb1e308a3b23500593065190c6b
SHA5123759036ceed6aee9cd3ffaab3c7e62ee73c7505e4e9bbaf5cde3dec9d922c0e8526ba1cccc58e0dded4fe4578f28b15eaf01ebcfddfe84c9098544fe1cc8bba5
-
Filesize
23KB
MD5c03d16375f97405814f8634857152c37
SHA1117a2775c35da4549833adbe8e208c05f17e75b3
SHA25668bef5139b0af7cb84f948a671c30a2aaf42f0f13c40559a975842432bdb5b20
SHA512bb31efb011b68ab79c5e0cdafcf98f5d9b11ee84fcb2dae99105190ba1152af82fe2df3cf32671285dde37c5177eb9b2a7bb849b5d0f32d06e957b2eff837285
-
Filesize
405KB
MD5fce16cb2ff303c656761ce76eea3ede8
SHA1830e4a81f1bef44e41ee84196eb93cf23284ffa6
SHA256ea3a6992a5c5fe91e7cc606ff9c8c661e01163ec6de6083233e3264ca19efd78
SHA512e5d1bfc3558cb6e50827ea3b1a63bdc40ef330d3a6e532405f9244d87843bf4a90573f643fbf17c61e5a556b5679f7d77a784e4253fc66bd089cd595ef85b5e8
-
Filesize
540KB
MD5f15643527793f1f5e2f553b856dc7179
SHA120d95605450258df0d07e892048be500c2c8847e
SHA256f52c9043324a96afd011c6f756f4431425c96325ab84263fd91b792ee2b52d33
SHA51214748d0d1ebc36e370866139399fb492e76d2ad57a57a92a1a67f2066511d3a8d2cf9d9d6d447e12d562b323c171beb9a23086c876f84b7720a2c249e73d5276
-
Filesize
515KB
MD52a981a5da458e3e983abbc171cb967c1
SHA1f13b7f93187f6b10c9db1a91a8ca2bc20f88427c
SHA2562f6fc00d98d525ad9d90fdeb0e2337cc330faf42f5e172c3a8325f306839680d
SHA512933d635fc5568076e0a98e20eab7d4cdf1d840110fe2e149f06f097633f6c1327db11dd068263e8a446d73334858550b41b68934ee4b5247f2df10844d4ebaa8
-
Filesize
686KB
MD50ffa2050c41cb673d01ee1c4febd03a9
SHA153f4a40f1ea76a61f19220aaa60435e45539c32e
SHA2563d86744f2b5dba561f80a7cac77210723964bf0f58480fada21ab34cd5713074
SHA512c4ccf69ed274215f6dada1c6eab57d98e781e18b93457347cc4e5b0ba725214c5c2d364291ac0b593a47f018216bf3cab4f7a234f770dfcc81a79a2fa74a65d4
-
Filesize
3KB
MD5f555bf68721d7971644abe6743ff1921
SHA13c6e26e93a34ba319a6672900a0dba1ac7da84b3
SHA256a412ed05ad717a71272325f9a02ac448d03ef777f5a61f41272c2ad5f3957a83
SHA5124d5717da56423fde1c05642382060cd051f9203085bc535da22c8b8c930ec7b7d6e0878df6f1d9a5936aab097bca7f7f2ff5da8bce9a9a978bb49040bdbc9c32
-
Filesize
2KB
MD56956dcb45a100b3fbe3e25c738a0560e
SHA1c6ce22ff3f84d0143cafad68c545949bffe9cb01
SHA25616f3583a61350ef865ec5ebf02aebfaa322eb44e00f3dc3e64c5b849af2f6d31
SHA512a84fe9c763cbe2ccb6b35dcaf0c7945459d56f36006bf586a525ce5aa8c4616d85d3b4a82c8c1583bde521698c3f14794fa3b53aa0e8fcbf059f2c0cc96785f0
-
Filesize
580KB
MD507932b89fee3636e0bfe1586f8324f1e
SHA1fbc350e379248e5f9b74dfb014fe380403ee9932
SHA256610907d9431357ef2b1e293888a435367fd29d599ff9f89cb940cbdec6b2150a
SHA5126402d00ea70b53b02d6f40f83d89a9995fca4696adf969e6bbbd2a5e3587ccebe69e8ff7550f2f3cf6e15a35dcb7dff10fa0c9bad00adf8f463781693f21df60
-
Filesize
774KB
MD5483819fcae717bb40b86036157c23a19
SHA166b0a6e14eac88502d11c02eea19347e4951f51b
SHA256ae68ad0f7f783142bcd7d87c0a6d05d5e6e71308e751ece98a0d899286270221
SHA512cb7589eacf593a5ed7683201603d7458b52dbb648f5c0401d34056b1859d058512a7f7060e0a2ef87f819fc09a77e5495591af148f31a5463818f54961d58075
-
Filesize
8KB
MD5de3d6e3936a38a812ae344cf9f48ec23
SHA16f68ecdcdb31cba99308de934ed280dca8c9209e
SHA2569bd1510d3d9c56137b99b7e3068e09feda4688ae6de67c7f2905a8d83714565a
SHA512e4fb57a0cdbb37e1f924a0cd691420efaa66ab899d84fe371f1751453262b5032f3323c090010a31e0bfcab1454eeeecd70a84b6067ee5fa49378e2c365bfb43
-
Filesize
10KB
MD5ba6a1521cde429df2fbace5386b8dba4
SHA1624e67a3e9162919eea13eb46a7897890a961dda
SHA256c702ff8f608d30be20ae41288ce3f5e9fb32d339b30b62d451912401263e9ff5
SHA512627090e3e6816ec5d58d7484e4be499b441c6c059d953dc9a1c448194fa6207aec6291250768dc06ff2a6a99f400909579de01894a1824043b8bf1f6adb718ca
-
Filesize
913KB
MD5fa1f96e5913a47e9f9f4dcf89d60da0c
SHA181211dc3437c4ba9e8063075ab28873d7ea580ec
SHA2566cf291f0c41f750fd7cdeee996549e6fbd9009b82f643c134cd19dc7f12de4bd
SHA51201e02526bf1416bdcd410fce0162cbc7118c62ab030a75e62fac2536a1222d1ac67a0a23970c90997f05dea050e82f2792ba46437ecbb4430abd33f4d90d77b6
-
Filesize
887KB
MD58248b52c702a9c8770622a4bba3973d4
SHA189a84996a403e9ffd5fe37f94aaab9b8f5c20ade
SHA256a6d167915d942cb93281d667e8f62ff9933ce3d7b9ef4a9eee03370ac169fed7
SHA51261f9b01bff84c2db8b3f6bc31d122fd64160992a6a22de2cc293c12bd87823b2cf3e152f9072e4f0564cfb33f151b7f24489feb49c52a46f280dee476050f325
-
Filesize
646KB
MD5a03f7b5235633b47a42476ab6425fa80
SHA1ff3c174c59fd593b0a62475f900e69c78faff64b
SHA25688dc8bf33697400628dbe54caa944ce9d72abb87b720fc9272e9cedcdc844328
SHA512975b33841528014c21ab2d5a142f2f49bff5e6eec8964481f10178c8fb9b7fe90e53fdfe41f178655cfae962d19faae42eb9d2bb5ca888e66b56baa4624b2f8a
-
Filesize
862KB
MD564a3fee003c5b0425a9d5ef134f78db2
SHA184dff6f415812364fc73d0a17b262973972d553c
SHA25604151f151d18b07caf6f76e5fe78cce4094b129ce079a0df6aa125d1e7385ded
SHA5121b896081274fd9283b6cb06c881573794691559f369b0f3d5cfda8db0ddfb7b5173d2c6dcfaaf501e30d65926fb1d188694bc6fb8f3bbd35ebe873a54acaa7b6
-
Filesize
1.2MB
MD5a8a61b9f95cc17d04c9c383cb678d3ab
SHA1f555aac889ffb3c038799fda84b062ba9b436d8a
SHA256f37764a80134411597f9aac8aaed8ce4470f5767c465675e8f5b952aec8d22d7
SHA512105ce564c17555ec1ea8f5201f8f1419a5b08520918b0b306f3a2862d736ca259c66a48a533d59aa5b1b2a9e4b03d21cb65da5f01a69b053acff811fb92c9fe4
-
Filesize
1.6MB
MD5e6164d68aa70a6aa86b7e140110aa56d
SHA19af47c69a1240c42e0e94d91881c05e29416e170
SHA25666c660619470f59848796080511c3ba0ae8cf98cc05b5df7b9d5b75fd8a9054e
SHA512fd5192902fec1702d2f711706a781bb93798f275575df7d76bb3df9232980aabf64321ae4a5d7753e5168820cf44657b38e5d78a0e401877db9c19d533bc3e1d
-
Filesize
550KB
MD58b855e56e41a6e10d28522a20c1e0341
SHA117ea75272cfe3749c6727388fd444d2c970f9d01
SHA256f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
SHA512eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
-
Filesize
218KB
MD597f3854d27d9f5d8f9b15818237894d5
SHA1e608608d59708ef58102a3938d9117fa864942d9
SHA256fac94a8e02f92d63cfdf1299db27e40410da46c9e86d8bb2cd4b1a0d68d5f7a2
SHA51225d840a7a6f0e88092e0f852690ed9377cf3f38e0f2c95e74f8b2ffea574d83c6154cccdbf94f1756e2bbdcdb33b5106aab946644dedc4ffaefb6bf57a866696
-
Filesize
1KB
MD5f9988f0c28b00f5d5e9dfbadb26c726f
SHA12e7d772218116cdeae613f753de227aa85cb750d
SHA256d9db2ae73f84da29b9935e20d70eee553c74f630593d4d84baca16d452eab909
SHA5122e520235e72e4308cecbf7f73dfe30e5db6a7301913cdc83b9848ddcdce3d4f28917a764430bf6cd267838e8f11d6df025995a02008ca25cea2fa84a4d3c4ad9
-
Filesize
778KB
MD523353a3bf29f8b876ef88d053096d207
SHA12ccf4e0e41b329178944d11e7f213dee9e15f661
SHA256cccf04bd687bc971bd318bd1b4989eb1cd3f1ba8635983521d1f146eb62b9ce7
SHA5121174088be3c63d0f0cea10e2f87b97d77aaf9296b00b93c866f5f0848f363927d3fdd650522904363187763e0808e4964f8734093c7d837a1d937879aeaf62b2
-
Filesize
734KB
MD52fe9a05057d806b65bbdfebfbd387476
SHA1e20a8c0be6e42395df8c569c284f19859bd9a61e
SHA256889e9a9e430fa452f9d79061ab531d04c27a0999fc0cd9d4cf80f2d2fc7ff7a3
SHA5128e0e19adc5c9a1ac170be0e99380fd5c91fcf7861e3043e9e2ebaae8cbbfb92e8383a1a01c6eb0e04fb7290e0eae1bf73cee6866f3c6ef5a180617d62311ebfc
-
Filesize
624KB
MD51b2612b7b4615a01fc5bb42ebbb4180b
SHA16b5b4c97ca9a99ce909784603f9776c444675a78
SHA256be4c45ef4afac64e215e18f0a0934b5439f023a0904cfd4afb3d8e9681c20cec
SHA512247dc7dff4d8935bb59cbf231a5620e02691d3c7ba54a9d0ef42e3d9d1c047da4f2ad4b5594a2707ad00cebac3c9dec3f22c16c7e3843469825de322b87fef5b
-
Filesize
799KB
MD50a8590d86e2bcf880d28d2ba2a5a4793
SHA1a60369eb6e4470f9b7980b7836127de988b885a2
SHA2563fbdd9b9ff13bac28cee281d08c4d0b04081aa0ae3c74743ed74f996796e2ef6
SHA512cbe64cd5add25f57f2d8cfa352eff8df939ce179b4128fbd592731dc1af874f098a2e1bbe5e4d0bed95e85e2f1b974b0de699a4f614b0284e9ab3ba224e01eb2
-
Filesize
668KB
MD560cf7cc936cb44d065a95329887af352
SHA10984e3ab993b98dbdc27d8d996c074afb33dadcb
SHA2567bcfa3d3d62d2e8922b8aaa7fc92b6f4296538bc7611a6a3a15c90fa750b9ab2
SHA51224a7b2fae048087e76a12a41a5a0728af894b1f83c91f54640ed9da425c6e2f644f11f49a1c82edba53788606a5785c9dd25a94c5648c4ffd9e88f3b9a8e221e
-
Filesize
427KB
MD5b164a547594b27b4bc8886e3866b7e39
SHA13ac7ff30117c0987712aa84f21b5e0b0119768d1
SHA2565079fc3c56a654fa2c5a0a7b666b9820ea2eb537a515f09c6e99d56a7711341e
SHA5126e3b530dcf5afa8ce5ab88f7155daeb9f01c7c357547f891bfc0042c66c0e55878fe98539358149afe65922baa21e2c3bcf2d0021e0dcb45f8968aa6bf4e6fbf
-
Filesize
558KB
MD5de6100a6605966393f565a2df5dcbc3b
SHA18184bd6ba15b33900bfcbc966ad9c7af435a7c03
SHA256ddbbd9fd08e4d2b6ca505f2107d07b4be939f67d70c483df0648d871fb941527
SHA512d5712788ad42c6e0cd29214a1f4793bbdc0a019181a93bb9311f3760796b354ca81d10d7527aab4ddace28b219c62af6a73717b0df678e2aa30208653aca10fe
-
Filesize
584B
MD5aaf11f800eef97a072b8dd516221d101
SHA139787bac1235c0ef19298cd775e2f728b9eda319
SHA256d5e09b61eec20c1ea7f2d029daca5f6292cd9bfda0d953c4a0dc5224ae46a3fc
SHA51219de3dd1dc575a599ac929fbdf44cef7fdd22274dcb7222d645dafa95de21bc5ca706cd84e099a37a9ed535032bfc26317a1938efed84c910636b1f9e6fde8ee
-
Filesize
282B
MD59e36cc3537ee9ee1e3b10fa4e761045b
SHA17726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA2564b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA5125f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790
-
Filesize
964B
MD54217b8b83ce3c3f70029a056546f8fd0
SHA1487cdb5733d073a0427418888e8f7070fe782a03
SHA2567d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA5122a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740
-
Filesize
131KB
MD52f859950b215f4eee1e00bbe39207212
SHA131593e690a1e02c5a19f24d65b2ab0022c136a0e
SHA2564b19ad3ef396d68d4ad5457be25ca636d22e1bd848d3e4a5211b71da58f016b6
SHA5124948afdce16b45abed05df9d093ce7286637beedf7fd5d1f1915638914ad1437321128b125653849c27161d1994acaa8a648207a326af922f7a4d59740d94d48
-
Filesize
392B
MD50dcee22d6b6a21b0c79857ab290dd413
SHA16d348619bb9d36396a649f402dc9e28a8b1fda64
SHA25660e7b121ad9b71d37ab5389bb589540803d16a120c25fd5c495a3f05dd0eb1d6
SHA5126f8225f246aa6366fdc844b962e70d9396dad066c34ef73d902d521a78c690f2aa1494bd93eeae3fec468b2e51c9a9e2c5df273879cc0b43d9560ae12e8d2f2e
-
Filesize
31KB
MD5d06a0e0ab05efd265fe5b2919a3d466b
SHA1dc65bf44ece12d2a547f7044333de3bb2dec5a72
SHA256258d11d37f0feef7ddb38d299ea024ad6c1a4cb9f9fe3baa9b83ef45d56cf8e6
SHA5122c508207e5753edd1379339dee2084cfa2335065a5a97f46dc21b593b64a8baf013cce94cca6188da54b0cf9bec45be9621c4e6c1ed5470b61da82e925942bc6
-
Filesize
336B
MD5a202b6a7a56cce7e2f3ae78598274487
SHA16f7f68484f3fcf0bc213e95de30f472903095c73
SHA25600a484d2d911c9c7f9f09d8dfae119917998385da7c84125fe337fce1b679833
SHA5123431e0671999afd3a5cdf0b971c0af64fd5c1d821496bdd1cbb016734bd75dd7cb7d40f0e093661e57fb2ef881fd12a5d2b142eb49f4ebf141badacdf24a7aea
-
Filesize
1KB
MD57c63cbdbdd4b78cc80dc7f898291eb1f
SHA1d7c549834798922ac8b730851fe4a40d82c0aa84
SHA256785980cd5bde147508c1a453f68da8f48ed18fd442a6069bcde63ae85d5a90ea
SHA5128ad047a5f4e32c29510e0f8d1916423dc1b8c85ebc2a3fdef7afcb7225309f12eb960253ec38e71949f6f9a17e3e00eeab921287453c9299df02895f31f30d2d