chaos | a576cf0982b75dccdf9e9ab9f8070103f507147dd120e757d94659b8d94ee225

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa.exe
Size

18KB
MD5

d812020fc265dfb10a4dee8c239e14d0
SHA1

69bf67761b8c07f0250a194e7d6ff44e74b22e02
SHA256

a576cf0982b75dccdf9e9ab9f8070103f507147dd120e757d94659b8d94ee225
SHA512

f94a9930ed34fbbdbddd5e146a88a171447d18d5c82d0e37c56f907a485a78f124a4c3c6b1ac05e52f57988527d2af6b872a12f02584b86d88e8c5ee4ae558a1
SSDEEP

384:r3MLWHn3kIASb5pl0joO7c4J/r91CzFb4ex:3n3kIP5pmBP/r9iFb4ex

Score

10^/10

chaos discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\read_it.txt

Ransom Note

All of your files have been encrypted by Pon Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/1240-0-0x0000000000D80000-0x0000000000D8A000-memory.dmp	family_chaos
behavioral1/files/0x000600000001e554-6.dat	family_chaos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	aa.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3692	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	svchost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3060	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3692	svchost.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
1240	aa.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3692	svchost.exe
3872	msedge.exe
3872	msedge.exe
2204	msedge.exe
2204	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2204	msedge.exe
2204	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	aa.exe
Token: SeDebugPrivilege	3692	svchost.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 3692	1240	aa.exe	87
PID 1240 wrote to memory of 3692	1240	aa.exe	87
PID 3692 wrote to memory of 3060	3692	svchost.exe	88
PID 3692 wrote to memory of 3060	3692	svchost.exe	88
PID 2204 wrote to memory of 4452	2204	msedge.exe	91
PID 2204 wrote to memory of 4452	2204	msedge.exe	91
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 1836	2204	msedge.exe	92
PID 2204 wrote to memory of 3872	2204	msedge.exe	93
PID 2204 wrote to memory of 3872	2204	msedge.exe	93
PID 2204 wrote to memory of 4444	2204	msedge.exe	94
PID 2204 wrote to memory of 4444	2204	msedge.exe	94
PID 2204 wrote to memory of 4444	2204	msedge.exe	94
PID 2204 wrote to memory of 4444	2204	msedge.exe	94
PID 2204 wrote to memory of 4444	2204	msedge.exe	94
PID 2204 wrote to memory of 4444	2204	msedge.exe	94
PID 2204 wrote to memory of 4444	2204	msedge.exe	94
PID 2204 wrote to memory of 4444	2204	msedge.exe	94
PID 2204 wrote to memory of 4444	2204	msedge.exe	94
PID 2204 wrote to memory of 4444	2204	msedge.exe	94
PID 2204 wrote to memory of 4444	2204	msedge.exe	94
PID 2204 wrote to memory of 4444	2204	msedge.exe	94
PID 2204 wrote to memory of 4444	2204	msedge.exe	94
PID 2204 wrote to memory of 4444	2204	msedge.exe	94
PID 2204 wrote to memory of 4444	2204	msedge.exe	94
PID 2204 wrote to memory of 4444	2204	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\aa.exe
"C:\Users\Admin\AppData\Local\Temp\aa.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffda8e646f8,0x7ffda8e64708,0x7ffda8e64718
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,6543758589389231935,5775944292888587644,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,6543758589389231935,5775944292888587644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,6543758589389231935,5775944292888587644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6543758589389231935,5775944292888587644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6543758589389231935,5775944292888587644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
64009730b3d43dc1e59afd200b9c00d5

SHA1
abe0ce57288dca03f4e1e4d90b238dc9fb1fd2c8

SHA256
5374116117c1c21d13bcb192a4a7b71fddc3ba1601546c22e681a91f55a57d0e

SHA512
5317d05d2d9a0d42d98cb516a77f0392ba20cc5054ee4447bfbdbec3c8166b66938178d21b504d76161cb7063fd7a2b4cc438d198d8d8aef129077bed17eeea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
689c4d202ba6352ae263a0acf1796834

SHA1
46d163a6eb72f2cad478828c568a58f42bd370d1

SHA256
3399f15c1ef9fb3ae49cab8175daec2746b9d2b65f746abf5643c9697b03f957

SHA512
5b6a4d3eb7885cbb2969685dec255cf2ac6512fe27372ea01002df64e4932e38556f37fd7192de69a6e69ae2340dcec5a2ac0470f467151a42ae5bdd40fb97ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4c13fe48818f81af89b85c8fa683f02b

SHA1
919a16a57dd7bcbf96481df4b85f00cc7615f106

SHA256
8f3ff59b30ee2f8f7a209457fa767c999c52a1bb5475f2b7a091605bd4e60d29

SHA512
afec2da44548d0483c79a697054541a2b958aaf80a3d15cfb268835b4bff87fe04ccbe62beb0a6ee625264118d8c9a9d7392b02ff825ddf0f272768b31f1ae81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\read_it.txt

Filesize
886B

MD5
8f52688568bb3eeb53664f8584fe24c9

SHA1
f634f4f94031e5c2b4d736b379cfd1a83571b496

SHA256
ea7db6da967d15ebe74bd51019979cd6ef622b25f6d3890d2e1473de6d1a345a

SHA512
fe4400159041b5eb34eb26fcf0105b38ce89370a75644541eb7929edffa126638aef24fff3ce07dd01184594c3f86604e36dba885b4a6e677431d7e7e6d4da8f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
18KB

MD5
d812020fc265dfb10a4dee8c239e14d0

SHA1
69bf67761b8c07f0250a194e7d6ff44e74b22e02

SHA256
a576cf0982b75dccdf9e9ab9f8070103f507147dd120e757d94659b8d94ee225

SHA512
f94a9930ed34fbbdbddd5e146a88a171447d18d5c82d0e37c56f907a485a78f124a4c3c6b1ac05e52f57988527d2af6b872a12f02584b86d88e8c5ee4ae558a1

Download Submit
C:\Users\Admin\Desktop\AddConvertFrom.bmp

Filesize
703KB

MD5
770088af168e557b347a69e734fd6dbb

SHA1
579c5705f142cf38a77a9c8423f9c1092012b790

SHA256
f5b408aa3177cdb51ab3e7ec4fcea0e2bf69addaa3423d94c3ecdb5a65c9c5da

SHA512
6de2d09cd458e1ea66140453efe01b565899301a61ceb4f57ba13ad1b50c5065da63359ce2bc9f96f8282d1d6ecba9a86968bc4ef166e2337bb93eed34e94714

Download Submit
C:\Users\Admin\Desktop\AssertCheckpoint.wmv

Filesize
429KB

MD5
fe8139ffa0674e58b5bd5eabd320ed0c

SHA1
3c89a2901636be6b9d063b12483a22f04dc6252a

SHA256
d53aa93f78b150e729b47de8a907a801dfce0e2119ebb60ad34d1f2a0c993c1d

SHA512
2f88c6bdda8ad1e385def973ec6375c727fdee924424fb956fea97f3395d2c0015e1571a7db01e40553ec8fc84cbfdc4219dfef793fa308a9775cae02093e9f9

Download Submit
C:\Users\Admin\Desktop\BackupEdit.ADTS

Filesize
465KB

MD5
f82a33750087b72be90fb145b0f079e1

SHA1
55529c742b6cbbdad3bfb1ec2c24ba92111e7139

SHA256
25ce453fddad6022e58d9eacd178aed49adfa6f6e4d78339697f50a29c1c1d04

SHA512
76a0a00160b98fb689dc389d9d3fa16779bf1e93259dec8c7c78401f1dec28118c1bcd459b25bf449b0613ebb7ef11b718af9d7415bba5a509ecd1c9a90ba74d

Download Submit
C:\Users\Admin\Desktop\ClearRead.xlsx

Filesize
13KB

MD5
bea92bc2e4f61d18e9084c0ef0ff8724

SHA1
7ae8a1288072d171546d721b7a062a7c0c0ca087

SHA256
9e86684313cf814bda32fb73f2ebdf0939ddee22b4d3fd033d18b7f79a1b5ecf

SHA512
c468a8b8472cd945d8523867646e22e60a7509139ea9c6ffeecc49a9118328eb0582e3032d1ffaa1e001f07e37e95be7bc6879bb869b822e756832c4965f15e2

Download Submit
C:\Users\Admin\Desktop\ClearRequest.mpg

Filesize
611KB

MD5
c7b5c16e9269c5a2fb4763eed02705bd

SHA1
f99cc1381e22880fae70324dd4cff8c3ea379293

SHA256
84b9713f23199e639eb0f59d7227ba14a97c8b3d93f0dd1b32219145265b6905

SHA512
e7403c2aa1d577e2ef0384f4e9232413a6ecc3c502e5bca64b8ab6f7999b27210bbcaa5ffee0e5e4d4fb41f7881db7adca80c434575414c2411827fed69b904b

Download Submit
C:\Users\Admin\Desktop\ConvertCheckpoint.wvx

Filesize
629KB

MD5
ea98dad1fadbebbdf2be77acc61acbc8

SHA1
6b8f258930281e2a50b7cc95cce6f4c554fc7e20

SHA256
d4af0b0973582497a9f9922118ef1df4b581b07f85f2528e3cdcec79f803b7a9

SHA512
186c9a216dcce87d26ee63bc414295f1fb87e7846bf47e344e9f095f98addb879fb0d379f9fd5512ecaa2d482c951660d9b3ba9c0ca36e88b1d5c364682e3fb0

Download Submit
C:\Users\Admin\Desktop\ConvertConvertTo.iso

Filesize
648KB

MD5
324845c66191784adbe3090c5af47296

SHA1
a4b7ae94a12442047668e493a3616e786bf15bbc

SHA256
f7e43a20c0e7c7805cb48a17501104e1080c0832dd4578331f6a5a0de02a2407

SHA512
c69f768787d2af3b21aa05ee3d71d740b0023725592b5875ae449ae6bcbb9ff577a46a73c33b3e322a86406c1424b3ced842f604e9df966b26aba6830f339553

Download Submit
C:\Users\Admin\Desktop\CopyCompress.wmv

Filesize
593KB

MD5
bbc2e4e1d5fb982de72d85259dbf1900

SHA1
4748163a75d765c843d6bd4e93b36850b5c55f8a

SHA256
0647221926ca5af4046fc8b4eadd560e387ddb9a93092f1cf41152d91dfc7a35

SHA512
acbde646ca369c4369bc69b38a703729a00366043a747f1460946edc346083a0b494fe26de9eafee4ad48e0d168fd42fd6ec4172c1254b545dbbf1e972c35c9d

Download Submit
C:\Users\Admin\Desktop\CopyWait.fon

Filesize
283KB

MD5
f481b660bf48154284d1b00c3d74d682

SHA1
8c8564f6faa4011fac31be67252e62618082879a

SHA256
b6808176ee6dd2a011806dd6d5bdf1cf939e3db3d7811b4abf5e1630a325e118

SHA512
659246b9150a6b0587df9733b259ee4c7d9d3e239781901350ae71b3291b7cdd81aeeb2c8072f1dd3c6d202609457b7c88f124e960fb0a7ec29521ff27180866

Download Submit
C:\Users\Admin\Desktop\DebugUndo.ram

Filesize
538KB

MD5
cc0f86ed4e00b9144d5f06ac4a291e3f

SHA1
4a0904e876ced708425ae0718318aecd37c7983c

SHA256
9d6547ba4f8b20f49e28e06ea51e22543151fc1efdca2ede59dcba38de84656f

SHA512
fe8578ed9f3483f322abe808ab25b8787050c6bd013bfe0eebdf3f136f00092f670981bd407fa12b4a8403180b461a0b3bb49e1df06785e06597868f71416a93

Download Submit
C:\Users\Admin\Desktop\DisconnectEnable.avi

Filesize
666KB

MD5
23a3943fa9c59b55a7b32b40fd6c9127

SHA1
16bc54e9cbdea7bf20cfa8357df136394b94704e

SHA256
69f55f2f3e47430e584285010644aa2e9a69fe37868b7efb0ef6a339a4f75734

SHA512
38b12819c8cae343551e1f0fefdc67613cd26c5f5824e825d90613e7d123fea29665a17173aa2c2954e2cce9ea840fec257d25e2c2bcaed8c4df9d45b141ea2e

Download Submit
C:\Users\Admin\Desktop\EnterCompare.gif

Filesize
520KB

MD5
df658665db77c9dfd019626882b9e36f

SHA1
e18dab7e6816948d71688bde94f71038384a08b2

SHA256
85cf0bdc6ae61b34ddf286f1e1088f06373bd5aba4c59c5af12c190f69fe49e7

SHA512
1aa13263574b68a0532e1b48fc8651faca32d63c7282d78d5f7719962a71c8b7dbd4d61dcdbcb9f59771c99881de825ad5fc1e9eb39b94b9cfbd2c57531a7844

Download Submit
C:\Users\Admin\Desktop\EnterUnregister.emz

Filesize
483KB

MD5
3a8f496010d4e9c1834eea3cf49d8b60

SHA1
83007eb689e0ee7b4848cb14db323cba18422490

SHA256
fadf230844d06c56098db938ce26ea2fb69fe070c38d8cf0e1c414166b91e5b5

SHA512
af0687d22b3796761cf51d5c1c876ad0eb2d4b53704a09d8a4553ee6d247e9660242383bc52786a865275bc596b25c2d535ad0a0f23e0a2f45dc91332fcd52cf

Download Submit
C:\Users\Admin\Desktop\ExitOpen.docx

Filesize
19KB

MD5
82832f6906be7a24a4edf50c9497c583

SHA1
e17161228fc17934feb56b1f5fb8ffd9a1371ad2

SHA256
f66bd4771497292897328d9a9f186a2c497d8029779a215e2b304cc3d8cba8bb

SHA512
2bf905d45c403538adc69b2d580fe409359d4cc0e9baebae9569c3ac078e57a1f5a99a5fae1a2f79b53640f04f02f44d69127f6c251a761c840795a2754ff4b1

Download Submit
C:\Users\Admin\Desktop\GetConvert.aif

Filesize
246KB

MD5
44ad703ca3eeb86e4395ebd89f5f743e

SHA1
efa95308c157149b7bbf12a0fe86813c4cf7c253

SHA256
19ea65cf81a2b451a2ab4ca1a9a7afe4dabd1e2669478c435c2bbae5df554295

SHA512
089b849da797206b54158413d494ee4022ee0f87bae8dd4672e30a726550192d2148c5933c913f3f425088ceb186a949b491a9f3639ddf70b4db1fa4e3ade58b

Download Submit
C:\Users\Admin\Desktop\GrantUnpublish.css

Filesize
374KB

MD5
a8b836f4184683ad045a020363c32baa

SHA1
75845ec5c311bae3585947e273eeec0d3e328042

SHA256
5f460ec84a373a7ccb8aaf33e645bc095e24adfc5b97b1104a6b5f6f26dbbad8

SHA512
3e021dfc62e933d2b0069b89ddf08e5993d1640cdd535a441629d79987b34daacc104c23e4e86cdc9746667778a132e1dc2843bcba177196a8741344a97945f1

Download Submit
C:\Users\Admin\Desktop\InitializeClose.ps1

Filesize
392KB

MD5
9220fd97e270b6da775993b7b5390908

SHA1
b92d399913c8591b847d7098d2cff77afea08803

SHA256
e11798819283a3e970bd21a5f77f3d88d60e690105e11e34fec55782a54df75d

SHA512
07d7fd940eca2db60435b0bef3243ede0685657e33f3c43edc19b86d86dd7171ec0ca99aa8905e69b8cbd657dc27523a1b49819bf5bf989de8c11c514f8cd935

Download Submit
C:\Users\Admin\Desktop\MergeOpen.ex_

Filesize
301KB

MD5
9e1eaf090a0b7af76b7bb102723fd158

SHA1
3595df1cf8a3a1f4c8f0498033c7499c4f67ab29

SHA256
72412581ab4d05b27cfb39bea40f7b895855a2a0ceef91117264bfbbf7a70317

SHA512
38c009f9e2207702a46320c74e2449128cb10e68533c62ddc0753c4a45bcbf31ae0f5654a4bffb46bdc79d84cd216f4c9e2fd8a223204d8996817bafd3eb02bb

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
8a09535d0b9ef0bb39b5d16d226970f4

SHA1
f71732d6b2816d62f32191e74e8bdeed5b444d3d

SHA256
0dbfd9d243a9ae62ac99caaa20f52c1a422203469f9e3469d7675b1b4e06d941

SHA512
e34dcd0dfcba6fd8416b21168561724a4431eb726e280b1619cde6afd1454e272d41842abb798ce326de1a93d358ee14c9be99192974668e142a8d292459ac5a

Download Submit
C:\Users\Admin\Desktop\NewOut.exe

Filesize
502KB

MD5
60c40eb26c546c4496028cc978e894a7

SHA1
817067a1cf690d418e13148831deff5332faa312

SHA256
282fe351610d592e825a149390f467098fa0f7c14827a5db6404d5457deb6fd3

SHA512
c50d7ad97f43d9b8cbb3d136c1d9785b7ad878c78f7a00cf0d3d1b98b7375cadf0f6964577543bc626621a8f76188f23cf6e6bbb539607550e815cf6105af5dd

Download Submit
C:\Users\Admin\Desktop\PingGrant.ppsx

Filesize
337KB

MD5
fd097d3db79c6b9f902a58a11318fb91

SHA1
7ee690b2887a269b0c8afdf233ef661a06248bfd

SHA256
c9ce32da61824d76fe139d8f53786e3139a7340cb59def845c657f2a58de088b

SHA512
0897bd625a7eae46b93f944da3457a4be3f9a08848e50779e6e1c0df34a427369bd5ae226d79aaf9a6c89ee32b65802cb07ebba931a8dcec0b60caaa2734f4ee

Download Submit
C:\Users\Admin\Desktop\PopApprove.ods

Filesize
967KB

MD5
d10302af62b6907d2a09ec32a523ed35

SHA1
588cfbd2fba9cf0ac60ce9b2b3381c2bf6853134

SHA256
ee4556d94fe4f4ebf7352a4b535350b4d5c6b12e624c29cdc545375db99e2d78

SHA512
588cc5040abaa9184b7b927b68486413f4352c8bc556a8a0ede609f66530494454bf7144b978de3dd543dfa570754c2ce0430a5a95679d6ab4988634138d46b0

Download Submit
C:\Users\Admin\Desktop\ProtectJoin.ico

Filesize
684KB

MD5
179708d508203a45454e9f7ac0692309

SHA1
ce3523f26e93bc15d479b8d077954b3ee577c2b2

SHA256
c207073abb64767362dc7bfd3bebf50dc445524460afc173b0a2e1eafe901ec7

SHA512
23fd25db02b7f1539f1323326bc77bbedea81661be93e58b071c7e283122d6c59a55ce2ab08addac61dca952d0fce99e2c76d04a4294ef4400726ae1a2944b0a

Download Submit
C:\Users\Admin\Desktop\PublishRepair.xlsx

Filesize
14KB

MD5
e1c3531ddf49641eeb7c1e28e8c30cb3

SHA1
074bbcb6bceadcd2fc90ba85abd96cc935faa0f1

SHA256
e4e2377220237987020980ac43efa6fd3d84c87dc647b0ac0379482c74fcc04a

SHA512
f234a3d7b94469b692bedae5974176f0f3a427717cd6f1efd0e8a3b589912285dedbd842b7adbea4713a9f12d7c0f831a3046fc8890fe4ddcd9505211b626742

Download Submit
C:\Users\Admin\Desktop\RepairReset.wvx

Filesize
556KB

MD5
b536de03037c8a0940250db1489ec135

SHA1
db8989a14363a7f62bbab2f46e04ef7f38f18dd3

SHA256
5f065bf377f4d416d6e89d9b9581626f5bdada69a4b70d75bb0ff98bac08e74b

SHA512
1a66fc52bd59fb7b3d397556eabafed75ff7901fb5e4c4f74c1e27f7c622edd8e4e113c181c9cbcb15867d3b78e8be3835fde91a035a395ad2cb7250960bb2ef

Download Submit
C:\Users\Admin\Desktop\RestartImport.wma

Filesize
575KB

MD5
ebd2e7f723de8a36d5ed8db1a78fb4b9

SHA1
fae64d9af7b8c983e5b8e9ec4dabba73ed53e37a

SHA256
1d3014a2bfc1a0c1feb3f4e7d17b67d6d401f42476f535c04078cac99d2a5d23

SHA512
7a26678c4b7cdca5a28fbcc54bf238436d4229102b71b590b4334655f9ad8854080de687b8fa9963088cadb65fe9c2939ba00910b2c70dc143b07e0910353998

Download Submit
C:\Users\Admin\Desktop\SplitMeasure.mpg

Filesize
264KB

MD5
ce8d5e7dfc7ced9163d861234a5df2f4

SHA1
352e8daf284d5c794411e720231086dfecee9d59

SHA256
8521668d2169b135e728e6aa4e9b8e59e74a02d5431d135c101ae4c30db84842

SHA512
36bbdf5cc2d87629c4f2ff3ed5c15c2b640839f5b027409fffcbf5759f11734bb50f585bb418239510180a079409e74824dca9c8eb820183ebba47caae0995d7

Download Submit
C:\Users\Admin\Desktop\SubmitExit.dotx

Filesize
447KB

MD5
15435a5b9d077a4e211ff87a61772d5a

SHA1
3e54870455a914f86c15c8090f554f259c903fee

SHA256
11b7911158a0081949304a3f571bbe898181599de5e534d1cc8bf6d6b51dbf23

SHA512
a256eb16c22d7e15dcdce4b90f579845fa422d1e6a60f12cc03890ef7707ba9ac5ecfc098a5cb678242e9816f32ffebbb1659be32b7dbd9e847bbfbab3ca6314

Download Submit
C:\Users\Admin\Desktop\SwitchWrite.lnk

Filesize
319KB

MD5
585e44bdc2ee7a7bbf1c9d980d889408

SHA1
138c1e2b9f49e74b46449cdba8101eac73296195

SHA256
8c657aa90f4d9c7ad199457527b61a263acb25ac31f7f250a36dc1425ca82573

SHA512
f62a8d07aa654cd6f262d3cc1106098925a96c117197ef3f24ae887f183b229037fa671669c0fb5785156a1e58ffc1ac4188ef1cb8a7f478a09927c8abf69fbb

Download Submit
C:\Users\Admin\Desktop\TraceShow.xhtml

Filesize
356KB

MD5
b436032732f30de935b1b5c944274ec9

SHA1
bed9821e2d3e743c8a8113ec9935f3541442633f

SHA256
f0a3fe1f1e3f64d17c147da73b80ec394219db6538f4b758c35aeecfb0bc65c1

SHA512
815cd7338b05bc366da17acb5199b51915b31c1fbf628d4fed268d0ead09c3b01c081aed1856209068f8bc065a0e38b300b12bfb5e5d8f45cc02112762881ca0

Download Submit
C:\Users\Admin\Desktop\UnregisterResolve.docm

Filesize
410KB

MD5
848354cae2b4dbd678344733c4f5beea

SHA1
30c96c6c22844a9113c68ad0cc74b71e8c5532fc

SHA256
b01f186aa0b20819afb7d480436213113e974d183925d7198c5f2405cf500081

SHA512
7a14dfd1145da23d7faceb605b92a00388dd6b56241391f1e2c91ba1e9f8b3ed07a5b8b37e35a1bfe21d6e71c60737753ce96867cc74cf17bfca11fde296b86c

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
1b99e9c0b18a8ff11628c78ae7ec8b22

SHA1
1c7498935760542ffb55042b1107b187366ab867

SHA256
16a6a0ee84ea6ec319455a8cbdc0a07d9cc6611e82990f9409693540e33e4cb2

SHA512
4971dc65ef122cfe0f2f692bc9e51a1155528b54de464a70803166e55e3c36901615e8d56a73a7628f5ad2e805c0f352a93ff6a8bbd86ff4a9f06573a8f994c8

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
4942c4c797eed6534d0792598d08fbe7

SHA1
66be92c5edc30be7c9788f62396db6b5e64dda6f

SHA256
bc26b6153689daf93433103e32a3cf4bbcc4db3e9fb86a6fc04e6d6b81377fda

SHA512
db4d5f96662252219459b35e26e0ed21bab96369062db35bc98c320d1222ce4fc6ff46fe780c80ff17545cbdae791a5b336aa2dfab9f494a365a15af64cfe6da

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
6a8ef17f2fe9cacfe23e81d7409a3abb

SHA1
7c13152fecc4bcb0a87a7b74295cd76e79c66025

SHA256
a8136f466aab7ae5ec676bff17c64a081ae5fe68de080f9f1cc07a1e902e7d0f

SHA512
a0a2112f7b71cb71b7476aec1535b5d3f4505e426e7484ce413a7a123b58aa4dd164fa6f2565bba7a4a11ee27c3252e9b06b7c6851f999e5164153cb0a736821

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
134ef290d60394e43e872257422568bf

SHA1
51bc930c102728866e0782014e29a117d07467d4

SHA256
59ceb15e1204242d95ccf8774e928507c8ca0f7ef390c03a07b0fbcfa85459bc

SHA512
ad2b62d2920cd50a6fc170c15bacfd58e817e8f8b868245fe9e478cf2bdc985ceb745c7f237eb0bc39ccbbe2aac9197dcd9643b30aa618d658f6df417e983a88

Download Submit
memory/1240-0-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/1240-1-0x00007FFD99B73000-0x00007FFD99B75000-memory.dmp

Filesize
8KB

Download
memory/3692-114-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp

Filesize
10.8MB

Download
memory/3692-14-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp

Filesize
10.8MB

Download