Malware Analysis Report

2024-11-16 13:32

Sample ID 240620-ztcbesxbqh
Target asdasdad.exe
SHA256 ed36eacbc76c5bc86ceeb156854e849ee67d76a184b0253482debcfb62fba3fa
Tags
xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed36eacbc76c5bc86ceeb156854e849ee67d76a184b0253482debcfb62fba3fa

Threat Level: Known bad

The file asdasdad.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan

Xworm

Xworm family

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Checks computer location settings

Enumerates connected drives

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 21:00

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 21:00

Reported

2024-06-20 21:02

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\asdasdad.exe

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\asdasdad.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp

Files

memory/2976-0-0x00007FF841563000-0x00007FF841565000-memory.dmp

memory/2976-1-0x00000000009C0000-0x00000000009D8000-memory.dmp

memory/2976-2-0x00007FF841560000-0x00007FF842021000-memory.dmp

memory/4680-3-0x00007FF841560000-0x00007FF842021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_013dyrto.q3q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4680-13-0x0000021273030000-0x0000021273052000-memory.dmp

memory/4680-14-0x00007FF841560000-0x00007FF842021000-memory.dmp

memory/4680-15-0x00007FF841560000-0x00007FF842021000-memory.dmp

memory/4680-18-0x00007FF841560000-0x00007FF842021000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 993af531f0b57e8128ec273731c3a8e2
SHA1 a42ea55876f4f390837dd2c95fb7ff2344b6e9e1
SHA256 fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62
SHA512 bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4

memory/2976-46-0x00007FF841560000-0x00007FF842021000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 21:00

Reported

2024-06-20 21:02

Platform

win7-20240221-en

Max time kernel

119s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\njdehe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\evldaw.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WScript.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WScript.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Users\Admin\AppData\Local\Temp\njdehe.exe
PID 2120 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Users\Admin\AppData\Local\Temp\njdehe.exe
PID 2120 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Users\Admin\AppData\Local\Temp\njdehe.exe
PID 2120 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Users\Admin\AppData\Local\Temp\njdehe.exe
PID 1736 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\njdehe.exe C:\Windows\SysWOW64\WScript.exe
PID 1736 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\njdehe.exe C:\Windows\SysWOW64\WScript.exe
PID 1736 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\njdehe.exe C:\Windows\SysWOW64\WScript.exe
PID 1736 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\njdehe.exe C:\Windows\SysWOW64\WScript.exe
PID 2120 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Users\Admin\AppData\Local\Temp\evldaw.exe
PID 2120 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Users\Admin\AppData\Local\Temp\evldaw.exe
PID 2120 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Users\Admin\AppData\Local\Temp\evldaw.exe
PID 2120 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Users\Admin\AppData\Local\Temp\evldaw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\asdasdad.exe

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\asdasdad.exe'

C:\Users\Admin\AppData\Local\Temp\njdehe.exe

"C:\Users\Admin\AppData\Local\Temp\njdehe.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"

C:\Users\Admin\AppData\Local\Temp\evldaw.exe

"C:\Users\Admin\AppData\Local\Temp\evldaw.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 147.185.221.17:29206 silver-bowl.gl.at.ply.gg tcp

Files

memory/2120-0-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

memory/2120-1-0x00000000000D0000-0x00000000000E8000-memory.dmp

memory/2120-2-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/2828-7-0x0000000002BD0000-0x0000000002C50000-memory.dmp

memory/2828-8-0x000000001B730000-0x000000001BA12000-memory.dmp

memory/2828-9-0x00000000027F0000-0x00000000027F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a71bbdfc55bf58d0c9bfa96af36442bc
SHA1 e46b87a27a4e1b7a0c18037e163d64ca33b385cb
SHA256 351fbb1f76b9922c14cee680a7acc2cf97fd540f192aeef6227d2f199acb6619
SHA512 56df68ee0ebc9d56efc79876ec995f6b2eefd5ebbfc64718a6179d50055c1caf373770bdbeaeb4de6db30740384b136fb022d24d3adfcc55939f11e0fac82be2

memory/2368-15-0x000000001B6A0000-0x000000001B982000-memory.dmp

memory/2368-16-0x0000000002770000-0x0000000002778000-memory.dmp

memory/2120-26-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

memory/2120-28-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\njdehe.exe

MD5 1bad0e088a9f975004c2e8c28286e9a3
SHA1 890e7201e47a3f0c697bbe51cf2bfcab5de2f72a
SHA256 94b7776aaa8809f1799ef1cb5ddeb57bb6af67482f95203c0f385cc42100466c
SHA512 93110f321afc1d10b1129232b98b75663916b56fbd68411284da204e12a3c692cd50880abcdbf46077928107b6279ee718ce9724f30504bff152c9b7dc6337a2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs

MD5 943fbf2e322c3947a95e5b65f037830a
SHA1 6f542e4bce155627aacbd5ffa5d2676bd4ac582c
SHA256 80b5238faedc84f7a8fa7151b03c968fd6693c37e7f9e9a116614e5d18edb7bf
SHA512 72af92a519740c7238df7a0645f5891fd8a19b1af05d11acd855d096b493e79b0b1da69fbd1cbcf49d71cdc220d6ef44894c65dcbc56e877a71e44f2a2e66777

C:\Users\Admin\AppData\Local\Temp\RarSFX0\lucky1.wav

MD5 0a2821ba1b31a27a3fcb33c38f455c55
SHA1 03ba640291b1bd74f5468130407be97ee6b1aaa2
SHA256 31036d9a96e64187a451e75629669c54a22f4a62a434953b6295aa48e0f888e5
SHA512 e6ea6d01afbf3bef23701bdd620b6e2d09342b59a63e5c0473b5b5b81e7a8bf77f92dd7d1a334049466b047a7695a1441621e6fd83ac3ce83c90cf39d3c74fea

C:\Users\Admin\AppData\Local\Temp\evldaw.exe

MD5 2aea27b056354f507176190c33a2b679
SHA1 23a103bac45bd0d090a959fe4f524d112aea5b24
SHA256 b11a92c2961b6b3da9ca54ce8bf866980913f3a5df2969f809e5cd4fcc734663
SHA512 62336fa72f093bf73114dc140d461b7684e966624484651d1821a210b73016cc525c2d949d4d43947219af18c0c776184a127a4a2a57c1ff13f3daf117f57514

memory/716-49-0x00000000009F0000-0x00000000009F8000-memory.dmp

C:\Users\Admin\Desktop\ResetConvertFrom.wmx

MD5 6ce4d5dcb9849008c178eec858ec44c6
SHA1 af1c18c4cfdd3938f0aa9fa879f89f573deacf61
SHA256 387ea63a406e8afdf70c2fc7761be4d89e76369ad150671f5876487d0b9784e8
SHA512 7634a9d53e272a9d34c7f57e6e28361adc8fac9afa659a8e071f2d308272efc464a362457ca225b500adcade57006dce15977a27f22eb41672f72c3504c3044c

C:\Users\Admin\Desktop\RestartLock.tmp

MD5 3c1b53ecfa821905ee723f707cb1ffe6
SHA1 2c27aa8acb2e8bb7bbe940449f568b49dbf5ed93
SHA256 cf07087b147c4e471a0fecc6ff07beb6999acc79b3bb7b2db3cd1908c0c8d9bc
SHA512 8be5218d48cbabe6062115d64d49aa50e52f5ce9f86056486dd5bff5e5a6f5c2d8205a0e4d8d7bc82432263e143dc3240e288b65d98bb9be33789f99872f889b

C:\Users\Admin\Desktop\SubmitRegister.odt

MD5 280a655a3f6eac3f8beb5efc1f8f07f5
SHA1 3c8275f81eb93622d9e1cedecac0826956799c45
SHA256 7516b5f72a2531c172439e8d9432f73900542c546b4924d5c5eae17f906c94c2
SHA512 c48b31dde09ec86e8c8efb60427f3cd06003d04e5c3f4d91b17ea9d5d0167d06d00e95b4159f9724e148577bb82b3c25f74ff714cf03c1d3b16e82f05a74be99

C:\Users\Admin\Desktop\SubmitDisable.ps1

MD5 c58d4a6ab501c4b3d3a6870363fad7fe
SHA1 741882a9ff0c8ef83b921148fe4cb0c8fffcae06
SHA256 729848af136df5ab58f820f2228a999053346d4ce0edb282a3ba2e04910e44d5
SHA512 5c2947303fc429ef77964be5e737565cf216df7b16af7f9b385adf7af1cd60531e11cda6d628b4cd95560c727a185a69f2d2876e43d36c6304349f0c2dedead7

C:\Users\Admin\Desktop\SkipSwitch.reg

MD5 99c1f1fc6feca3d753f2a783e9cd1a9a
SHA1 a48d9ba194d4770a22348957bf3e72a6d687ade8
SHA256 64c4b12da2f8fcbdc5f2af209409351cc90e87e91b490b84d0b4cd3fcc543a6e
SHA512 49ff72073cf91b94e2f2f65b95350c557918bf66a831ec5c144cf589393d2b0bd8b7caa86ec95a0dec7ed72351127c5e204ba474faf7b675ffad1584f48176d5

C:\Users\Admin\Desktop\SkipRestore.rtf

MD5 67762492e4e6c337bc56a6711cc912f4
SHA1 a6eae1e7393b66d6beb0f330454cfb3f52943c96
SHA256 0ec27e2a467e3cee6bc69779b5f5fac3f4fa61a38a52ec7bc4fc24ac54e1b059
SHA512 0b9a0e60da333ac96d9bd9b822958caa36edda4cdb71559991085482a2f0fb143256e9d0960936b20c01245e70fc2f7fbc122eb6f7ac0e4840ef1e5669d6d3db

C:\Users\Admin\Desktop\ResumeUpdate.mpeg3

MD5 ba7bcfa3fe94a832ed76838af5b06273
SHA1 56f6ad083fe69f56cfb6ac3117e03c936ef9f19a
SHA256 0d3ee614854fe9575b01bd3ba0cfa786bfbaf18d3424e6d599422a5e7b47db78
SHA512 415feafb47e4563ad70ff6ef798a592a04f6ea4176f864994b92c8480ec238f7b1538d26073d61afa25308c34baf98703cc208c9b5c836f067955a56fba109f8

C:\Users\Admin\Desktop\UnblockUnpublish.MTS

MD5 14889d3138f13b00a2a042760bdd3461
SHA1 3f3cf6aab3e1d84b2b6adf2058a909a82d5f51fa
SHA256 a0ea426a5c68cd49101d48b889d12ea95bb5bc45ee3e8dda5c00d6ad223517b7
SHA512 70276ec6d4887a617a3ca7ce2ec4f3f63badaf1fc4f95e3fdcbb0d0e2b23a1f2e8c5524512110021bb93a2716a696e81a3176268089ecea278771cfc9a5d44df

C:\Users\Public\Desktop\Adobe Reader 9.lnk

MD5 3de8f7be42511037eb3d26e7c9e386ef
SHA1 b6891458fb365c15de27624a7cec0fefaab13797
SHA256 c72e43f24380bf590881e693835b2033fbb61329cfe11f518f32405168ab0ce0
SHA512 12f1933406094fc68350b799f40d5df8621caf93d910c64ef748d76ffa7eeb52e69a357f1b500ad8d9b4ab7cb295eea856cff0e74888c8f2ed7cde446ed67b3b

C:\Users\Public\Desktop\VLC media player.lnk

MD5 47c6ff3caf41c74d20a309bec0182d3e
SHA1 0b1a518b06ce14b685f22c36fffbb8c0cbc929a4
SHA256 86603f14795f952cdd503417515a32a682252e034b72ebb4d731d91b96cfb836
SHA512 02b0bc643d90d73d911a1439441f3128686c3e6a5004df228b25b5b34f80761cdda47843e6cb59fc169ffb69f31bcf1da666431ee4357a1fe863d1edbb0cf668

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 d4de3e369ea17fc058e1c6b98a2d32da
SHA1 56504411a02834b62f1db453df98a0ab607db58b
SHA256 5e930d35afa5b7c478d33c993df589e1c541a042d4d0d13a41feefe43bbb0416
SHA512 6fc265b69fc868a79894085894a641ab75331b0db94a02f3ef531413a65bd628d6dbeb50782cd67f95a1890b5c284951f38a1a4137f39dea1812eaeb7818120a

C:\Users\Public\Desktop\Firefox.lnk

MD5 9239ddb4263b2b88007c60d30227dca6
SHA1 65d6553f4c8a82c1ff9d83403a6e7e60d50f3826
SHA256 6f12120ce5bb7d7bb465333e4e2f09da67483f07be2a2048dac7a6ae9b42e91f
SHA512 f986fa15b285f732371fc32b0c17a4d38f327adb86d9fa3065b75ce9f5c04e9bfa0c947fa9f9749075a260d446751361c3c17123bfe34755e7c4f14a1ac52dce

C:\Users\Admin\Desktop\ApproveDismount.dotx

MD5 f520e1d2a673476ac52ca2da0e55098f
SHA1 f995de8328e3640e013301f4b67feeafb0be7185
SHA256 fc26c2e219d8bd09fca5beb092ce9e68bf7f63a4e03be3e9e42f2b0c024de346
SHA512 545f7058a02dddb013d8569248017caa6240c32aeabfbad3d4a4ab90e93b5fa59b9af0acecdb1617b2cd2194cd3055c32ec5f7917a2d39214f602d10880dada9

C:\Users\Admin\Desktop\CompareCheckpoint.midi

MD5 0d144ae6e86e3500362e886712df63c6
SHA1 0b6808dd909d0df0c21d11b2c610744123c4734f
SHA256 c6064a1bad9baa99af6b429c521a2edac7377aa071aba01f3e4d4fd8c5c0947e
SHA512 6874d1a54e9054212ef955b9ef1b73de350c43599a9ddb0f14e13c492932ff7450624108ddc8db12fa292056a95e610cc145ef91c95422bd27ceaf77beba2109

C:\Users\Admin\Desktop\CompleteBackup.cmd

MD5 d49d5b139b8e197978f20f2c2ac828e0
SHA1 df0ef9ad065cd8a999e780f69edeb01f048f1d0f
SHA256 d0030e0678cca59a07cf582c3952272b4337dd63d5f38bee6e20c195952a7a2e
SHA512 abf76d94936f2a46954708fd57fc4c78957344557d39b6d88d69d738064652371e6d1cec5658d25125802e39c7a39a58991d09a479181f9cf943c3d036b8a3e7

C:\Users\Admin\Desktop\CompleteResume.dotx

MD5 c63d8b932be27c747106aafbe48a05ce
SHA1 2d0fbb478f99dc04d18affe626fdab48b0c7af8c
SHA256 2a8c38cbabcf64f03f71dc21b6e7aff4811c102d684d8a166d51145b428bf2d8
SHA512 e649faed85b915cf345062f02a5bfdff389903fd28d96e179eb38ca716d0e4f6941a1e0f84e07d97c132d467b3d5683856a60380bcb8ccdfc2d349b1e3517423

C:\Users\Admin\Desktop\ConfirmHide.ADT

MD5 4e94f321e1ba76e094328494ba08f35f
SHA1 5a366908fbd3a0f31f0cf57a79b1391987647fda
SHA256 4a06895accb44fa34d8a6c1d54e4fa84d7770e19bbe441a37739e5044c5f4fe1
SHA512 fe9017ed8dee87b9d599c586ec91aadc1daaaee906b074622d8a000dc6509482f33d790bb4eee5292923a8bfb2a513da4bb83d5e03c20d1d59aedc73fa5e048c

C:\Users\Admin\Desktop\EnableAdd.pptm

MD5 42f322c15d870d9950b7e1870e86e345
SHA1 020ed18321fbe255311257b37ac12b49371486b2
SHA256 1c99158691af2deeac0cae3f0c00f4cbce6b534fc82057c7af1219f8f9187613
SHA512 af2c204cb8d2b0da79ae61587a9f4a45d0a8e56e365cb5e66c0a4da782123bf8d7c34a5667dcae05aae9c06f7251a4feeba79ce04a58fb5378ce860eaffa89ff

C:\Users\Admin\Desktop\GetWatch.3gp2

MD5 1f6927e411e406b298b28810adddc2eb
SHA1 f640a49f2939ffabad60b6147278d7ade7980035
SHA256 02545b32e303d78298193e20bb5d75bc1e0dee3bf9a8b90fb71cb43e61569aac
SHA512 a4a446f3b7d01db0121229ba0356807f2784750b8f66c8278ba87dd9e2fd5f6846b1726116b9229a8d889ef18bf739e5c9f84c7601fce0d4a9df5ed9101ec352

C:\Users\Admin\Desktop\MergeEnable.DVR-MS

MD5 e77663b9734ee3c02093dd9833eab8b0
SHA1 173675db09159bd70dcc91817e51d62217d89748
SHA256 69fc041c99047ac7b756bfd5f93089dbe1c7f16881f72f23b09fff83e789d1e8
SHA512 172c5f94e3a4b71e4a23b055d8f940730a21a16eb848baedeb737ea9f0ee056c9fb46e9fe67f2d44ac005e36eeb7e72fee912e7eee59450eae444fd7cbc33d5e

C:\Users\Admin\Desktop\MergeSelect.mp4v

MD5 7c3d6256218ed0c31f55c206ffe57a2d
SHA1 52faa5dae5ffa553f16839860003d2cafd2af863
SHA256 f2ae0c852769e6cc2c5d98ea9187ebe157aab0ea15e34477f6662ab71f9b4aac
SHA512 c59e693c3bc1aa96a5e23919787b8831162e584489cac6488aa5ae4d7f913613b0cc1fdc30dadd43e6de9e7c92d0fb7e3eb2fc2d1c5d55282c128e28df0c06ef

C:\Users\Admin\Desktop\PopPush.mpeg

MD5 72ee0270b0cfbc6a44ebf0a0d256c882
SHA1 f8f99ee2c8fd88f1f63c168f8a220658d031e49f
SHA256 b926904acad58f697885e5a5eab3989871d497a32f9b0a543caefbe95992cd4e
SHA512 3b42b3eaf1244e4f64c33448176576abd9d3cee4cffa4367b7feccaa2531caed9d647635474960d36ceacb0ce0883052b003c5b6480cc2b81e8234eb9e08a093

C:\Users\Admin\Desktop\PopUnregister.pptm

MD5 9e8400fd6f134ba3ee41c5e55011c22f
SHA1 50ff7253382912f30fa852bb763ae7b9d444a9b9
SHA256 ef24c2593c4f7559490631cfd785f9d271cd3c2a9243e4a3ca1d604d991052cc
SHA512 3abd2cd8af417b9528642cb242ac780f1937c23a90bd66e8a4ae6edea1262c5a3aec78b3f6479533552c43ce55e647005ffefe31d63e8069d61bb9f4bed2065c

C:\Users\Admin\Desktop\RemoveDisconnect.otf

MD5 a59f860522b80b7e2f7dde77884c2ae5
SHA1 020b44a58a2dc768ab98f9f36f575f86931a79ca
SHA256 eab828825d5bedc73618e1fd9ffa465e2b9c82a9d943ab41ebc88cef6ab458c2
SHA512 d00861024a02d4c41ce84eae299fc2b64c4bc8afec93e38d17d4fdf9c302eafd417ed62aee6a5255c3d22dd189b1d667a2c45ecf4af837e1367843c428858c1f

C:\Users\Admin\Desktop\RequestDisconnect.m3u

MD5 81073f5c7cd4a59e87e2b063eda206c2
SHA1 130987e7b4bce0eb95469d34cf73240a8b86f66d
SHA256 b0abaaf3214f62e267e310b9f0d078dd6be1f3267708c2f11dd001becc1cb727
SHA512 4ec2f83b482f23cff141e2ba9f556807ff64f0cc5c610eb6514a96d518a8b184e172964f1d00272685720d01b14bdd630d7afbff40c931d7369344ea7022513f