Analysis Overview
SHA256
82702da0dadc378e1995679ed5cab6ae3d3c3e189ca7f3401c9b047e53b4648f
Threat Level: Known bad
The file MicrosoftStoreService.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 21:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 21:16
Reported
2024-05-31 21:18
Platform
win7-20240419-en
Max time kernel
104s
Max time network
104s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MicrosoftStoreService.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftStoreService.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.158.249.75:10911 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:10911 | 0.tcp.eu.ngrok.io | tcp |
Files
memory/2236-0-0x0000000001000000-0x000000000137C000-memory.dmp
memory/2236-1-0x0000000074B2E000-0x0000000074B2F000-memory.dmp
memory/2236-2-0x0000000001000000-0x000000000137C000-memory.dmp
memory/2236-3-0x0000000074B20000-0x000000007520E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 84c2ff25e4e5329ae795590920d08570 |
| SHA1 | 238279dbe73ab16c2f60805af789451f8c26f6d8 |
| SHA256 | 7bb36e73734721f2f01ae04d17461779e9170896edd9e78aa9faa4f369e18df6 |
| SHA512 | 5c1487346706b5748f4ad2e380bfa00d33722a2ba8473672267717af897e17de4348bb85d740b8276666dc0e45b2c1890ab8dde34d3aec817975610832a58bb2 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 0bb46f1aa0f9ec8b6ce4a718a6ffe8a4 |
| SHA1 | 621449aa1d94f91b30ff7984a7457d6aed2d0075 |
| SHA256 | 82702da0dadc378e1995679ed5cab6ae3d3c3e189ca7f3401c9b047e53b4648f |
| SHA512 | 5cd89e242d980aedc9fb0f0eb28b0202a6a6c5db6c1146d8d7ecebc72235982d9585086e4c9f62c9b0af8d7082c72b7397de468280050da0b438bd6ebbd5d443 |
memory/2236-28-0x0000000000C70000-0x0000000000C80000-memory.dmp
memory/2236-30-0x0000000074B2E000-0x0000000074B2F000-memory.dmp
memory/2236-31-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2236-33-0x0000000000C70000-0x0000000000C80000-memory.dmp
memory/2236-36-0x0000000000E60000-0x0000000000E6C000-memory.dmp
C:\Users\Public\Desktop\Firefox.lnk
| MD5 | 809d604c4c9ccff7ae17fc00a478aff6 |
| SHA1 | 5f4c721458546c35ec2d511de0fbffb82131cf40 |
| SHA256 | 15e9cb8ddb9d59adc7274d53e5ad5ba70a2ff5d302cf9fbe039419cc242221cd |
| SHA512 | 69ee96e866ecf1cb15995c6611902830c063ac925bf828962a78a807904d6ec897ff9cd9ff6e180a71dc08f769ac2956c20ab8c9280d9a9a850c39db597cf96b |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 1a458f1ea7898f1f3bbb108f2525c424 |
| SHA1 | 30c9f23fc0b9e6f5f0020319a177350ccbf4dfcc |
| SHA256 | 6b28bcb737fe5a05c04b9d74593c215d04cdf3f3ca611ef755b660c18c3728d5 |
| SHA512 | 389ef7a81a6315fead8819b17b94bfb78483bc1b2a562cf03d15e1d55d16e3ea77f2310e9f8f84f448e6c2f74cd072fbb661f97c8ca9f067d0076f9a7e04a589 |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | db351913ca25bb525168807025a82962 |
| SHA1 | ba0332ad6faa55ec6d0313a5a20384f83dc27012 |
| SHA256 | d20f22eeda523ffd36a43020fdbfbfa091c88d2566463c31991bd3fbc84a5eaa |
| SHA512 | 71a02a318083a13f2a8d8af5aa6068c4dfc22fb2550ac6f1bcacb945c708cf5d04a7f4fbbf96ef61fe5d4497e6dc93f4b67929cdad44726ed45bfa693d75346c |
C:\Users\Admin\Desktop\CheckpointWatch.lock
| MD5 | 58238ca001434af7edcf6056e8f26324 |
| SHA1 | a4057421cf79781763926e5d6281004784a7021d |
| SHA256 | 066e5b1f995044afc1a025d9c9fc7f0e502ea02907bc37796bb961c51437ffa5 |
| SHA512 | b87ebe8cad1cc4c321d653cfe3139c8a97c68e71bec84f415c831e2f21b871965d1422f63fa0edb65fbf946420dfa53cd47b15db35db2c205e35c63afe0d101c |
C:\Users\Admin\Desktop\CopySelect.mov
| MD5 | b45c89a2d33b578e4267952e4fd2c88b |
| SHA1 | c83406a5322f2837a341d912f7087abc6afa3d26 |
| SHA256 | 3e25931f380f98514304ebb7667bf5a33c917a6c9a2f2e1292ca57d3647b1f78 |
| SHA512 | 51d63c18dcef16fa637606d772f581700fd8d8c5abba7f46a5b7feeb9aa92557dc2913af882cdab258a27c0d17d9b99a01d1211a686366cc995591d6abc57d2e |
C:\Users\Admin\Desktop\DebugCompare.mid
| MD5 | 0ff03971b21ef42003aa437133340546 |
| SHA1 | 90c5283fa32e41eb26d10773d9c7a6439744831b |
| SHA256 | 5cab2707669e16bf0beae30a67bdf62ddcc592e2de40f81057c197e528490192 |
| SHA512 | eb6813998ddd6cfb7400d6513746806d5d0f455084609f6b1a4939266a0803398be773e5538943c6053a0587f38915ffc28b3bb1a97772b349288dfc0d934be4 |
C:\Users\Admin\Desktop\DisableClose.shtml
| MD5 | d95564b73135cee775e18be5855420c0 |
| SHA1 | a316c25e19ea7f07accc0f2c7ecf4fd5bcf33dfa |
| SHA256 | 0e33fc3f5e8b0714c456da6c0137b2f3ba12bd1393889d742277c256e1f1ce77 |
| SHA512 | f388174566fdda58329f4d5448c08902d6bd184497068b641cc879f8fe72a480c2a851c8d9fbfc4afb007e406079e22e849b0260d6995a75197ed5e1b0ac7c43 |
C:\Users\Admin\Desktop\FindBlock.ps1xml
| MD5 | f4bec9f88eb5ac988ff8f7cf543ee4c6 |
| SHA1 | 6188d8d427e7b8a906197d07875382bebca3051e |
| SHA256 | aee1bcea460cf629576bc278810e846d455b1562f7e702d28d4903cded969205 |
| SHA512 | 5c5446189a2284fe8b07e5cac6a52eab8d97f3772d1091b5eebc051ec66c3339a05d455f4d79e36c2ac42fb41f2c2df322b2794be67da031d38e365b8e490aff |
C:\Users\Admin\Desktop\InstallStep.vsd
| MD5 | 1e8242bee0f864cdb83cd5ee2ea09ba8 |
| SHA1 | e15d3ccdccd1718299a7a3e36cf0033d8fb2b10b |
| SHA256 | ccfe63c8b48c86b4856a37cc7fc37c29b20f6771fec1349e329bf828084f431b |
| SHA512 | 53aa6254e86484e12118f44678a229c78fcb71af608fb64623b85ea6b2c048221216c3d77ea29d7580f5cd01d8b31ec9d973a806176b0dfe84696c57ffb16b80 |
C:\Users\Admin\Desktop\LockRegister.mpg
| MD5 | d4e105d499fd47baeea0f71f062646e4 |
| SHA1 | 4a9a05d32df35631612e6c0a9b341c15a4cf0c8c |
| SHA256 | 9ba7151bde35462314c0d56b1de263af8842797b4f494a8018a4474abc0b3c66 |
| SHA512 | 07616060b451fb10603243cf2de1f7c53de9c2c06ed61e5d840f83a3de845d67b19aa21ff6b9dace050f5967db66a8f473822c74e9fc10488ed74abf2d9df0a0 |
C:\Users\Admin\Desktop\MoveUndo.docm
| MD5 | 9ceefc1724169b38a09c2d93adfa4811 |
| SHA1 | 6f47cdeb54c9333563abd794b5f0b58f6a5d26fd |
| SHA256 | 3943817898c4d5c2c942ecbd5359f4d8a878b4fb9691c4a1b214041060946f34 |
| SHA512 | cdfe6d8de16f9217104087a33144616b7636b107dd26bb3f0ee556b3ddde29ac194c048a723a68655b101c08313a4d1d0c22e2da00d9ce9c938c991e099c0cec |
C:\Users\Admin\Desktop\ReceivePop.png
| MD5 | b312364b2595d9247c75a51bd074c44e |
| SHA1 | 14b57cd4a6a59cfbe3d5bd9e9b66c54430987698 |
| SHA256 | 0bc0ec1df72f9a5881a32c29daf84394af28ec8dfeda6b2ea57a7a53a7aa7baf |
| SHA512 | a3c993bd340c07fceecddfa45466a2a1e62403699611181d46de41ff456ab74d4926a49b93598c7038355330106206f9cb3ae5f73afbdb9cd699f7fa6f63af21 |
C:\Users\Admin\Desktop\RestoreUninstall.kix
| MD5 | 6336edd4790f6cbedce15205419e387c |
| SHA1 | f69a28958d3aa302fa11baf3a5868f41523c751f |
| SHA256 | 6173cc2507f27bbd02c0d78a682a4ec7ec3fa7621cdd9d82efc02ba749a7ec8e |
| SHA512 | c12ec2d5a394041623fc17bd6c65268af11da88b734e8d93d69fd0ec6271e25727131205ceb74dff8d5c6577970dad8546c33dc3d491e5837f3d1096bd448645 |
C:\Users\Admin\Desktop\SearchConfirm.vsw
| MD5 | 7586faeedd7dd050dd6d24248e316880 |
| SHA1 | 697f7314494e226e7e4e3b1df0e7e9852c05a28f |
| SHA256 | f0a5b757be16be0da18c2d5304e7f3a5672630b3f7c0888075785cc3aeecb1e0 |
| SHA512 | f3db3a0d3020dd7853b2db4fa481d409e4f25a4cbe9f678dd97a99a4826daa6bbe0eeafaf072a8afb744232a9affba6926cdfdabf33c3636b9c1ed05ec6f7cf8 |
C:\Users\Admin\Desktop\TraceConvertTo.wav
| MD5 | eed4086afabc5f363e982569803e735f |
| SHA1 | b3d6be2da8e0e7091c1df23f0705b719d8651c22 |
| SHA256 | 8d20aeb825524618cb312ba793d5fe9854a25cce944dc8dbea49ee8e081f17c8 |
| SHA512 | 9511550ea3eab3e42cae3a8e2b0ab65c52a7e35427cd0a0801343bb14a7490357d1a8aaffba7654d0cf2b5311b4de5c83e314f4b23daf07d2bcfe7580a1217dc |
C:\Users\Admin\Desktop\WriteSend.mht
| MD5 | 0ff98ad8590ac11234e7c40a087b2298 |
| SHA1 | 75927441100bf3366191982c7a131375c7c968c0 |
| SHA256 | 092b80b49ed0b448c0c9cc4a19f1a38a674fda111df6bd98f81e4550f2fce9f0 |
| SHA512 | aa494693a9a184aae706a72121f2eb4a68acef6f3761c32797136d8153f0b579d59cc09f98cbc81d38017e4c542fa7bda8140facef28ed3010aed02c16a897af |
C:\Users\Public\Desktop\Adobe Reader 9.lnk
| MD5 | b2e8c3541e052281e0c55c855c331ce8 |
| SHA1 | 19a3032d5b015246f0c7addd647b4d33469b248c |
| SHA256 | 7ec06172d3ab4cd68efbb7abeeaac326d028f67e4dbff9f4bb2417aaed665625 |
| SHA512 | f7dbafd81d4de9c6a0a601c319c6d7af07fdeaf4867e6cb6f2800851f9b3e66daf00e172eb93f8bc6408cc588108da1b94d573c2f582a57da4cd4cc7a2916577 |
C:\Users\Admin\Desktop\WriteSync.3g2
| MD5 | 2c472fb1a150658d22663b39da80b230 |
| SHA1 | 8a8dcea1c408b1118bd718ed17b2bac7a03e8f1e |
| SHA256 | 6620d291b1d4f13907d2d5d0b5f4a4229e4846f047cda11b09423709ceef3182 |
| SHA512 | e0fd7885977b1e64cf04fe756100cac4a1ecb171a9038565e9a2aa119bdf6e598cf73f874f9d2eb2be67141bbb3aa1b85acb7b82b11692bce9388ce878c0b769 |
C:\Users\Admin\Desktop\UninstallCompare.ico
| MD5 | 0e6512fa92aae8379ccc961d48ebc7ab |
| SHA1 | 0519d8f9b080ac188a1cc733f2b02b827014fc58 |
| SHA256 | b28d931c42e8bd05872e276a8cbe01d44e758b81f23b65837bb454e0095cb265 |
| SHA512 | 7ad15576326a5119a1aca08827c941ad38126c5009cf0bfdcea0da0d4194fe983a8f04abf958bc089550ffa4dd2ef6f0c514a209a0f85c32950df9e2be05a339 |
C:\Users\Admin\Desktop\CompleteUnlock.png
| MD5 | 9a35f461247ef1c2e223b1f2446e3707 |
| SHA1 | b055ffb5deb2a9f882fa16bf3459ee83d5efc304 |
| SHA256 | 93c9bbe428e29b8713601f5db7abc8381ecc54d363dbbe517d8c974228ffee02 |
| SHA512 | 8f7743ac9a3f2cc0db1cfc9d00e31b15bb1c15231dcd6af3fbca515adc5d58101cce2b36a5d7d09554a380418d4fd7141afab18d012835dbcb1561a07ecc8b71 |
C:\Users\Admin\Desktop\CopyCompress.odt
| MD5 | c975b6807a6cea7ac674510eb5a76e4d |
| SHA1 | a9675fbdbe83e64129c5d14fa2da938ede48fa9e |
| SHA256 | 0aa5cabab20df2ab2bb479cc5a09826301d8280507ebc200eee1b70f25bec539 |
| SHA512 | 7aaf666be7ebb18e2a01c9bc2791744811114323c74360c809112c73c094d334a537a0de1ac771aae7faa5393e335d1f57ae90f44c05821aa2f8292d8bb91357 |
C:\Users\Admin\Desktop\FindMount.xml
| MD5 | 89fccd1b23c3ceb6280160168410c5a1 |
| SHA1 | d3af45b91a08f70796a858fbf9e2fef57e5c521b |
| SHA256 | 78a1d59951106cbd86f996a0cf1d9ac2dd19b0af2b1e3ce2c7840a971106d66e |
| SHA512 | 12363ff715d484912b9557e1b22b2c407dc37dbfc8011fafa88cdae1ce6608ba7ade38e17f296206c6d424feed2692e998e93e7647e0683acb4567c32b9ee9a9 |
C:\Users\Admin\Desktop\UsePop.ps1
| MD5 | 50b972efb4f73114310e74e30edf2d10 |
| SHA1 | 68c7c4cbe0d1ee260d059688f49b08e051041c40 |
| SHA256 | 66f30d1b62faf62a814318973c32fb21e071ff612fef5b09e1c4d86991fd4784 |
| SHA512 | 989fdb3d75fb692b8f2ee4d25df18d373ae64b2a245f0ef939485803ebea9e980556919185024fbf829a4a5f3ee980431f57306ec224d5b80dd764d33bf40b1f |
C:\Users\Admin\Desktop\UnregisterConvertTo.eprtx
| MD5 | ab34da9a30763bcb69045094c008b928 |
| SHA1 | c55b779ec5325092ce92dc7ec3ccf192962daee4 |
| SHA256 | 1cc27c99869111a458cf6e6acebfa41d351ad916abcbe526adf99e0dad58d5e5 |
| SHA512 | e18da4bd449519a0cb280bd71226aae68697b03b1c43b74d495d9f3ca6b822d1ea8177a62dc4ef126fe2eadf5ead170dd0c83366a6b050300b8ff4b6fe784ab2 |
C:\Users\Admin\Desktop\RedoRename.asf
| MD5 | 8e619e3fad3fda238f971b0d753a2236 |
| SHA1 | 112f4edb7aa0ef0ce020ae86aed682ca792b9a23 |
| SHA256 | 1d8c18309e30ac707849cd5d4a9761e6d96ccf1a44eea5725d697ff84c98ac36 |
| SHA512 | f3242d2130038f3030629cd9619fd9983958e767ec0a8dd16c3b2f6bd0c213ddaf4d856a420de061fdb982c24f8a8632b540e6f795fe11817343deec5aeca83d |
C:\Users\Admin\Desktop\ImportUndo.mov
| MD5 | 58351df27a759ce7ba2b0f14642da2f0 |
| SHA1 | a5d506f899f8504d5ffc8eba3c329e58d96ef290 |
| SHA256 | ad683517f240ca8c852457650fcd2a973cab0335f0f84b129ac564cb1a85a97b |
| SHA512 | 74441e681ef0b27a2ff9117dc8e7bc3b9702428e4859ede3c7c74dee0111caac70964d5f4a72b051d00288fe3ada52208cf37ba75189d2b46a98c8151fd634d6 |
C:\Users\Admin\Desktop\RepairSelect.xls
| MD5 | dfc8739d03247bc4f4c94847a3baea55 |
| SHA1 | 44c2d81d3584dc7bb1c5d45984f76446d07f8d49 |
| SHA256 | 417972b1712651438b8dca1f90a37c44a9b8026af75c18d56882b789344fd5c9 |
| SHA512 | 847bde5f0324329e238ee8d655a528798f5f7a7725c7c3017088ba1aa97afbe22e7619fdb06ce959c1e5ecb20bf9e63fed34134ea1eec92eca9726d34be1f6bd |
memory/2236-71-0x0000000001000000-0x000000000137C000-memory.dmp
memory/2236-73-0x0000000000C70000-0x0000000000C73000-memory.dmp
memory/2236-72-0x0000000074B20000-0x000000007520E000-memory.dmp