Malware Analysis Report

2024-10-23 19:52

Sample ID 240920-bf79ya1anh
Target 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry
SHA256 a29f7f16177b1aed8ad6b56dbe19763b9264734304cfc3db9b5c3ce77ea1e08f
Tags
chaos ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a29f7f16177b1aed8ad6b56dbe19763b9264734304cfc3db9b5c3ce77ea1e08f

Threat Level: Known bad

The file 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry was found to be: Known bad.

Malicious Activity Summary

chaos ransomware spyware stealer

Chaos Ransomware

Chaos

Chaos family

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-20 01:06

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-20 01:06

Reported

2024-09-20 01:07

Platform

win10v2004-20240802-en

Max time kernel

84s

Max time network

85s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\72n87io67.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "242" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39ad855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 13.89.179.14:443 tcp
US 8.8.8.8:53 udp

Files

memory/4544-0-0x00007FFC8CD43000-0x00007FFC8CD45000-memory.dmp

memory/4544-1-0x0000000000910000-0x0000000000950000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 c47451e9db6bc856051f49f728e05e27
SHA1 3a6eae645c5c44ed2933aed3379ae6f7e1ab8331
SHA256 a29f7f16177b1aed8ad6b56dbe19763b9264734304cfc3db9b5c3ce77ea1e08f
SHA512 7a85e7bc7be2f71f799b918bd42dfbc6043ef6222b12ff6b7258bfeeadb38c4f3186ece742a589aa224292749fa66089faca161248b15793ae1a93975bde586a

memory/3692-14-0x00007FFC8CD40000-0x00007FFC8D801000-memory.dmp

C:\Users\Admin\Documents\README

MD5 247fd138d3881e0b6135f930d272158a
SHA1 e174a53071e17bc7983932636dca23d0fb46a0b8
SHA256 cfe39d1892f95613ff09b68190f9077b62e09983bce24042e1cbd1fa29ccce9f
SHA512 86accb04f72eff1842473440d30634e4fd86f239d78674e014d8a110d65bf56be8e81a9d07e2d6d8516aebb30329ce02bae59f35db2e638c88ab71689e353ae5

memory/3692-497-0x00007FFC8CD40000-0x00007FFC8D801000-memory.dmp

C:\Users\Admin\Desktop\AssertConvertFrom.svgz.fhw5

MD5 e940884562c84fd7101395f05caf009a
SHA1 673e40573a8a888c36d6819a3aed46a487ee8fe3
SHA256 dcafddf93372bc0ca64c6ca18980c5ce22f097bbceaba3a0e91fd209fc36e6bb
SHA512 2cd3626bccede9bcf90aaf6e5a2f1a71bd98d573946b16cc09c08eb9ddee565ce0d5f3190ca370bcb936e26aa6fc2f6b7d05bce03e884c9d5bf24f1394c48c4f

C:\Users\Admin\Desktop\ComparePop.hta

MD5 19031e57d6b6119e139e97a5ef813d97
SHA1 53150e56bddf667c8051824ba32e9dc53094fa7d
SHA256 de1432f72275a9e53f45f1b51735016142d83fcffb1c228ba82b4e795ac4d9a8
SHA512 b5e241a30c0289bc0f96ae7dbdd6fb261758ebcaa38c8339a73e1af6a542dcf49a0bc0aa50357fab6ff47e407c35b8807132464db7b695598925cee8639d0f6e

C:\Users\Admin\Desktop\DisconnectStart.ps1

MD5 6890a820978b33a761e5f0cda82ba94f
SHA1 5316a373cf180de1fd9e0d4fd66871d57f52fd3c
SHA256 389c7d66c47794a2532d9890be3e2461175bb48423e036f59f8f521635279d6d
SHA512 7fad960e89d724172adac946188801402f6180f3366ac3e76dd60a4ceeac05322e5ad3a8f0299304a46a6788caa3a6fa47cd62b7ad85e4ad016bb589187bdad9

C:\Users\Admin\Desktop\DismountUndo.emf

MD5 91e52100ba6e02658c25de5690896455
SHA1 a57c4c908b32c2f219e1d5dd97837275101a16e1
SHA256 4939f38d446bb20597981335fd42c4ec20a292484181c8bba535e4b5680d8b21
SHA512 f41f227576cde146f03da5228dbeec312499f880031a0287d7435290bde1ea24b03d34ece57111f9a080d6bc89fd7c4646ed180f1580bdb9c7ee69cfb0a205eb

C:\Users\Admin\Desktop\CompressEnable.dotm

MD5 047c8f0b0be00ccd7d4de1dbc125662d
SHA1 bc03308112e71d64c911fd79d2acf08aec81ab15
SHA256 c7fe6a41761bf8f431c665429350371f302a929424333145aa6d3aefe69ebef2
SHA512 da5ab3512f175d2facea0d932f73b9727b6ded728f94ae0b91622dfb87cd6bd6470b4c3eec5cf743fbee6cbebbc0773a44a782ac6fbe9398db57de66e1c7ddb5

C:\Users\Admin\Desktop\CheckpointStep.docx.lvn0

MD5 52f35c8326263ee0b6e742b65b212360
SHA1 c66e2e37235fb32f1554b1256b0ca55baf1d5d23
SHA256 73683e4389278b9eb079edbf9c6c6249a87ff729836399e0083d1c6f5e2cb747
SHA512 edf5e1ab47f94a4a714fe4f466c32497facd382311a136df424445d92d22c1d7d9f1c79b51550fd72074f173df5a72d96642bb0489aa49bda013b7be05fdde19

C:\Users\Admin\Desktop\SkipWait.3gpp

MD5 73c1763e7423cea22a56372f334caf3a
SHA1 9389546d3a126ae8e1eba4105f79aaaef82663a0
SHA256 da389b28804ae35c12289d4d853ddf58bd5213f8c85db0eab27c1d627d8e1a4c
SHA512 0cd1ccb9e2b2f4c2dedfd3637ce2baecb316cccfe41ac58c7748d3291b18e7116604e31e96a3ce61ce70145b4c0fa58cc2eb42097e34c971eb1e8d5e503d80c6

C:\Users\Admin\Desktop\SaveDeny.001

MD5 7a3487221ac2ac3d6451624296c16f5c
SHA1 f58dab42fbe23461c58575ee317b2cd7aafd67c0
SHA256 a5d323ad1dcabdebbe95a245fd6cda75c2014dba626b47a6408913870392d7da
SHA512 da4010e745989e0c05a62d6d0befda5b1bebab8b086e0a762959d975c40f7363dc3ab19d434f75eff4519b25db6dc4b28f9f104c5f5613241c45f6f3a26c76f6

C:\Users\Admin\Desktop\RedoConvertTo.temp

MD5 6d4f5ca961ed84a6e56583c9c6b42e3c
SHA1 308ffbe383124c9cdb37be0426b0f3e06c7728e9
SHA256 6feaaeac8306f141e956947e83560487769341209af4a31c6b482e9a156d2007
SHA512 40c5e36da7eb69a7d498c715a4e2a9bdc6075eb748e8f620572623632ab4f433f8a58e71a09e6911bfa99954e816b55d1536559d2d57c5414d2333fdbbd65c4f

C:\Users\Admin\Desktop\ReceiveResolve.emf

MD5 bfb55c71a3ccf9e6c35341a45fe511ab
SHA1 180285487770c38a62e1875895c93bd848d4c4b3
SHA256 dc1a2613bd65414380a5868c1acc328af6fecd776417996837fb1dcb4ac45d54
SHA512 df997102ad8ba349608aede9f05080eb2dfd1e7796031c3600f30321ac8c574adb0d4389f1f4d77179c204242b024e338260678160d1c695496a7cb363c8e8bf

C:\Users\Admin\Desktop\PingSkip.mp2v

MD5 1eb362ce0f9dd27791b01c997266597c
SHA1 d100151f441b0a3ab5a4c5daecbf8de4014de34c
SHA256 83c95eb9242e7525e3b223fbfa7ef3dc35dc8787e11bec1bdf127b1db66ab07b
SHA512 417dfdffc1e1d40b564a12e62acd7765c9d97d6fe4847850b0762c406787a98c9fb36334d4f42d32dab3588c47a7b81bdfab05346095476e6edb7fd2ba987ce7

C:\Users\Admin\Desktop\JoinRemove.edrwx

MD5 af43063c79aba3a1d36ff460ea0ecbd4
SHA1 c63ccb27dd1fe7dcb08e8ae9d65f88263a2ca4d9
SHA256 99e356629f4cd01db1d41721ae26756a38874b1a3f7186a5fbd96f0cf72b2652
SHA512 04101629e984b9d49a2f538f3c26166811b0987199716ac2f0f7b77ca1090607c54e472ffce386f7d1390a425b103c8984967cd17ea3c467418e2f9375fec24e

C:\Users\Admin\Desktop\ExpandRestore.ram

MD5 1ba1bebeeb3906109ce7b14463122ef0
SHA1 9dbbaa1f3dbe39238c290cbb1e12a09abcd30563
SHA256 0e745b5d97edfd4644bb4e269fd91dac512d890779662ffafba564d862aaf2f9
SHA512 5bc8780c4bfe95ce89c264b5c85d89fd1c0dddfa96dafaa148adfad6d0234bddc81e4946ab1d75ea26f6cd3aa1e1ad00be1d95a176f8fed43d4da626629cef4c

C:\Users\Admin\Desktop\DismountBlock.asx

MD5 5e85bf914c6b331b219e4f2a4ff0710e
SHA1 a58bc5087a5d9deaefa488204b6719c3a873d432
SHA256 d0e10338d1628db707d01dab2ed02b443413361abf128870a28ee81fce485a1e
SHA512 50ed693e473e048893af4b51759e003e2af6bfc2b4ec5045857eb43b310a4b7449b0f85105f4b683c3ccfe7bc6606b0e519febf1ac0dd66351565a5ec6bd683a

C:\Users\Admin\Desktop\BlockRevoke.wav.sd8d

MD5 f6656ec6ddebc123816a0300b60f12c2
SHA1 b787881945b6f371268aff64bb0e0c48254e6aa8
SHA256 b7485c9a4d3066ca0f1fc5551f8b6cc74cadba9f4d5ada130f544bf0730248df
SHA512 23fc5125ca6bae14e25c428dc38120c0caa44d87c87b418ee2ec9b853d8c21ca3f3c00908aab4f64275db6f48e8363896255c88560354b3bd270cb74e08601b2

C:\Users\Admin\Desktop\SwitchRestart.midi

MD5 80919fb450d2720eff640b7aac530e84
SHA1 f36fad20f9f09187fb71939c761a543d633c4e29
SHA256 60ca50202bd4ae6491570473f1c07c7ad6cd77a3f9490b15ed5981eaa11049da
SHA512 82bb4f53850f95b267cfa4060573189fca02bbf1fb3761e7ffdb20787238b5e978c65d35bb860242d5eca07231eaec992c6c242e69b4930cf5a895e842860268

C:\Users\Admin\Desktop\ConvertToUndo.docx.p2lf

MD5 411f29845fab488ec1c7e18129d9c5a7
SHA1 0b5310d2a12bef31029ecd5ed5ffb60d5afd6eda
SHA256 f8352b7194015a48b1937effac2de7104ad74160300dee40b2fb192476f045f0
SHA512 76cfb056f7a476e7e5eede9381e9ad78601bed5c72bd743a71399d5b0407ec04306631934d88480b90ed1fa5112cdc6add8396abb13a7658fc768670e25e19a1

C:\Users\Admin\Desktop\desktop.ini.f8h0

MD5 7e40dc8c184e42e19ef4ec9564435085
SHA1 67716736461293a77650743164d32697663473c3
SHA256 12e93759c9bb2e7caf202319fe013e4dc12472680d18082129478935bd0e822f
SHA512 c20af82de437a0a9d33a3a735a1b8065c84f98b72ef0f8f748e3c5f0d4a841e23bd1ce8f49cd426bccb1bf15e8bd728c699bd3e99924cf82f0805d4c536f1b00

C:\Users\Admin\Desktop\StopInstall.wmx

MD5 235600b6f75f07959e378675815ae926
SHA1 3b5914dcac5888f261f2d8d7974b8324c20a3e8c
SHA256 5fd7f9d2d292d11f2252025e87ca45118e09232075acec0546c3847ad42db84e
SHA512 726c95e2f3554976c7d5221da975212eecbaa30d34c4f217c8485805bef07b69d5843335d85a505e9e63c1bc5b7548778528489d0920e2c0d1aa26cc09f3f3d7

C:\Users\Admin\Desktop\InvokeBackup.gif.knx7

MD5 60d09deca5e38137bb679fc458e7b4b8
SHA1 85aa480aca83a7488a72e10702de9ba2f9ef399c
SHA256 a2eee60c68151a7a273a4d000a1f33210c658b2f278a54721dc0dfce200f2ea0
SHA512 5a56ffd85d4cc9864df541f954b332078fc2e05e1c1808b35d4d0f81798562508fa63f390aa3241554d2216d63af12547d9fcfeac0224ed631684b71a995e35f

C:\Users\Admin\Desktop\WatchInstall.vsd

MD5 f2e10d6d7ad07cac57a1e30cd47647e2
SHA1 ffce4c5f1c13f0edb504b9ac769c2cc291c22347
SHA256 97b5d52bd00b435f1a4565de4f5a903016425f16b3f7f2e2a8f20352b95d8510
SHA512 fde362c3a38c9119c233b80b17760bb7a41667570c2d5eb335113921f73adb25e1d79a7691458fea622f6c63ece3638fb3902c7349b7391a66ff0770d84a770a

C:\Users\Admin\Desktop\StepRemove.docx.xh9u

MD5 508f531cb90dd90d45bfcecac39211ed
SHA1 2e830955eb8f8a8e359fdaab72fb38bd5090333a
SHA256 7a745eb7138b912726939f4d09671ef5f41754ab57db9c5f40747ea636fd7487
SHA512 a5c5fdb246360dbad982ee8087e6d84859ffc834491db158649f0d819017e4323a5aea6e0825f5590529e0a348278a8c3cc6e94f05f7e6e81e2fef50781c7c07

C:\Users\Admin\Desktop\SyncDebug.docm.45sj

MD5 df514ad5a85c2232efa42d0d6d1de33b
SHA1 611411fc04735f7b472cf6f9b5850792a355f9fd
SHA256 b77608517be37d5d5864af70c30c1e0afeefc0c0b3b50f6237ec37f727d8c189
SHA512 28fcb84f44f27afcbe64d9f870c67cc07e52b9c36b8ec4136d1feca27e849a4b5d429bde064b75860fb051026a4357e9d063977ba85da50c1598b5fd10b1d473

C:\Users\Admin\Desktop\UndoConvert.contact.2xhq

MD5 a29975eb1b9386f17c4ad05e77fb21f3
SHA1 f4186c7729418c39fd347fecd20b2e2cbe14d3ca
SHA256 cb0cb884ce3ca23885125a67c8d398c4e9c6ad1731e51e338891b02d4543cc57
SHA512 34cb2bd0102c1c4231e878a694665e014fa68f44496b1685b40a2f246eed127ef706848dea4a363cd203ff285589a31768146db702d2f685b7d6ee6213a6dc18

C:\Users\Public\Desktop\VLC media player.lnk.hasb

MD5 6573fc4ffdc25a2111afbdcb55fff99c
SHA1 c26bef45b825bcb02011b7bd9c994cbfb3fd4461
SHA256 8dd05119fe02883d593d5e4d50d20e7ad5a5cb1a889da673125438078a54a10c
SHA512 8358a617e90b36124ceabd25073ce3a812e4f8290f8c87428fb4d7a3db50f2ccaf57381a972fc66cc211b7106c2abc169fb125f4e59859136ba644f6343aefd0

C:\Users\Admin\Desktop\UnprotectCopy.bmp.oww0

MD5 470f8ec081b6e1305c8aa2ca32ff6a0f
SHA1 d688832c80064d62454622847064ac01835693a5
SHA256 1f02fb0548798fe5fdde3bf42d5f1c13f748992a04d7759d506d563eeb4b912f
SHA512 6cb5c46bcb965235dbb9ffa4b2d9c63e2894afaa0525625e76936a022bd6fc6fad744a004656f78e9360138d3f0534a2fe5f81fb0501a99fc04c55aa2b314065

C:\Users\Admin\Desktop\WatchProtect.xla.4m4d

MD5 0ac5b72291ea457766dea398e54e09fd
SHA1 dd56b8c92f055a29f47d78eb746a4b30e9b279e6
SHA256 763d7139a2d720a77bcc87b24327584d110edd3e1db6961264641ee0178b9b6d
SHA512 7e9cd918c05e2cec8f88a643af57b5fed5ee018fadde3e20386b309740850e856f7980083c30ac12bc01516a421a7f54bc2c3645c8e51b2f387eb84e7754b1ec

C:\Users\Public\Desktop\Microsoft Edge.lnk.vb6i

MD5 d50af98fdb46b3834323829e78f96903
SHA1 5a15392cdbc0c20bab487b861a581a53fbbf792a
SHA256 55e94ddd0e1dafc383703bd1f61f223ad513abfdb9f7afa19ee93ae63f2bc5d7
SHA512 f8d29d3ad0f584581fc8b6c3cff4c25453e564a8afb99bb8c093dfdbcadec91d3d68ea14a5b08655f9b2963e54c4b17ce95459c44927af5e8696fd32c8187139

C:\Users\Public\Desktop\Acrobat Reader DC.lnk.t61p

MD5 12098ba52497c09cecd7c421c4de0caf
SHA1 7667727fa8fd204c038555c52a0b99625fd98f2c
SHA256 83cb5b3c897d81cb7b5c7bfb5a8c6ed53a5a2796a1dec01631b1f89bd03e3c90
SHA512 211617fca2ef1d21fcfe4bcdf6f3159024051c30cf8a54c921c53998fc40517d3225d825958dee79d2ba4d60b94feb8bdd04cf476584b3ff4bda719ce9d2fc30

C:\Users\Public\Desktop\desktop.ini.yywz

MD5 a943de3d2626a819a9415abb183a8183
SHA1 9f819b38b4f391db808c834567ee9d6e4310dea5
SHA256 205ecfc52d53b9217350a0b3ad9f726c3b3017798a5f29c32b66514a2579521c
SHA512 bee48fbe28dc4f402b8745da2043b47f82847e204e757ce3b1dfc8d61ab15e324b24430993fbec6d7c21a9bc3660c0a72934055101ab300572b2631767401b9f

C:\Users\Public\Desktop\Firefox.lnk.buxe

MD5 9ce1894d1e6e58e17da0cea2220b7870
SHA1 75dc6a77a6bdc3b33b6ff2ee96b34e39165b0028
SHA256 5298ba74e22402998a7067c7c537e36e17675c027614fac0ed283fa9835f401b
SHA512 fedde6726a0e7b5300ba8ef6e712b9589d99df1de42039e11fd91e2644f184844c966527b07a4cb64b7d6d90e4ff5de2de1c9832db58e01e6ee02043b87b2b30

C:\Users\Public\Desktop\Google Chrome.lnk.k908

MD5 f22c002d1aba9a81385d33dd3c1543d2
SHA1 332c544886a3274026a58215fcddb0a65b3459fc
SHA256 5de2acefaa706882748b277c292fa653feeb579c3522b5273211b31df13568cd
SHA512 883dc3ae0281a1fae7d89e7eaa655025401d2f1539bf1d70f7a1a4b644aefa92068e04cc40fa3033fd88d4cb102bbae51a5b71e571d70003ac35abc0a0c7677b

memory/3692-533-0x00007FFC8CD40000-0x00007FFC8D801000-memory.dmp