Analysis Overview
SHA256
3137e58a47fb9656c272ed9cec55ab96df6b8e28f11d3942021c44162979dd32
Threat Level: Known bad
The file XBinderOutput.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm family
Xworm
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Drops startup file
Looks up external IP address via web service
Adds Run key to start application
Drops file in System32 directory
Detects Pyinstaller
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Scheduled Task/Job: Scheduled Task
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 22:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 22:13
Reported
2024-11-13 22:13
Platform
win10ltsc2021-20241023-en
Max time kernel
17s
Max time network
18s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Windows Data Complier.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Data Compiler.lnk | C:\Windows\System32\Windows Data Complier.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Data Compiler.lnk | C:\Windows\System32\Windows Data Complier.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Windows Data Complier.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Data Complier = "C:\\Windows\\System32\\Windows Data Complier.exe" | C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\Windows Data Complier.exe | C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe | N/A |
| File opened for modification | C:\Windows\System32\Windows Data Complier.exe | C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Windows Data Complier.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows Data Complier.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Windows Data Complier" /SC ONLOGON /TR "C:\Windows\System32\Windows Data Complier.exe" /RL HIGHEST
C:\Windows\System32\Windows Data Complier.exe
"C:\Windows\System32\Windows Data Complier.exe"
C:\Users\Admin\AppData\Local\Temp\s.exe
"C:\Users\Admin\AppData\Local\Temp\s.exe"
C:\Users\Admin\AppData\Local\Temp\s.exe
"C:\Users\Admin\AppData\Local\Temp\s.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows Data Complier.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Data Complier.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Data Compiler.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Data Compiler.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 172.165.69.228:443 | checkappexec.microsoft.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
Files
memory/1112-0-0x00007FF8709A3000-0x00007FF8709A5000-memory.dmp
memory/1112-1-0x00000000004E0000-0x0000000000A40000-memory.dmp
memory/1112-2-0x00007FF8709A0000-0x00007FF871462000-memory.dmp
memory/4256-3-0x00007FF8709A0000-0x00007FF871462000-memory.dmp
memory/4256-13-0x0000026E29CD0000-0x0000026E29CF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lcbcp4l2.3qm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4256-14-0x00007FF8709A0000-0x00007FF871462000-memory.dmp
memory/4256-15-0x00007FF8709A0000-0x00007FF871462000-memory.dmp
memory/4256-16-0x00007FF8709A0000-0x00007FF871462000-memory.dmp
memory/4256-17-0x00007FF8709A0000-0x00007FF871462000-memory.dmp
memory/4256-20-0x0000026E29E10000-0x0000026E2A02D000-memory.dmp
memory/4256-21-0x00007FF8709A0000-0x00007FF871462000-memory.dmp
C:\Windows\System32\Windows Data Complier.exe
| MD5 | ac82021a4611e4f15c4eb33f9fc179d6 |
| SHA1 | dee75a9ea1e458448851c856b09b8e929f85b4b5 |
| SHA256 | 8c81b95f5a7846df8685855e76e310606e626d9c9455fa72e824c733b4db3bdc |
| SHA512 | 057ab98f565f6a06a527ac4a8eaa5bbeecbeccd4cba0b1d442096a453232e3c4bebe684c75e38ad25c7e9d8dd18a245d950d0262e9be1de3c72932ed094149ed |
memory/1308-38-0x0000000000B50000-0x0000000000B6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\s.exe
| MD5 | aeeed6a840a218311abb29531751c1ed |
| SHA1 | 8628f6f2bcf5cd7239f95d659391a72f3efc9d56 |
| SHA256 | 8109ab4bbb860e222b5efc030908de4f0ff6810c582eee12b797d4f6f9e5c2be |
| SHA512 | 49c24f04ccca81529308539fe319241a73aaed1b8ee788cad728ad31676635e1eadde32310ed967c1145aff0d495284618118c3ae6f35ed07e98516398737dcb |
memory/1112-57-0x00007FF8709A0000-0x00007FF871462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI13802\python310.dll
| MD5 | deaf0c0cc3369363b800d2e8e756a402 |
| SHA1 | 3085778735dd8badad4e39df688139f4eed5f954 |
| SHA256 | 156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d |
| SHA512 | 5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989 |
C:\Users\Admin\AppData\Local\Temp\_MEI13802\VCRUNTIME140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
C:\Users\Admin\AppData\Local\Temp\_MEI13802\_ctypes.pyd
| MD5 | ca4cef051737b0e4e56b7d597238df94 |
| SHA1 | 583df3f7ecade0252fdff608eb969439956f5c4a |
| SHA256 | e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b |
| SHA512 | 17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3 |
C:\Users\Admin\AppData\Local\Temp\_MEI13802\python3.DLL
| MD5 | c17b7a4b853827f538576f4c3521c653 |
| SHA1 | 6115047d02fbbad4ff32afb4ebd439f5d529485a |
| SHA256 | d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68 |
| SHA512 | 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7 |
C:\Users\Admin\AppData\Local\Temp\_MEI13802\base_library.zip
| MD5 | 524a85217dc9edc8c9efc73159ca955d |
| SHA1 | a4238cbde50443262d00a843ffe814435fb0f4e2 |
| SHA256 | 808549964adb09afafb410cdc030df4813c5c2a7276a94e7f116103af5de7621 |
| SHA512 | f5a929b35a63f073bdc7600155ba2f0f262e6f60cf67efb38fa44e8b3be085cf1d5741d66d25a1ecaaf3f94abfe9bbe97d135f8a47c11f2b811d2aac6876f46c |
C:\Users\Admin\AppData\Local\Temp\_MEI13802\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI13802\_socket.pyd
| MD5 | 0f5e64e33f4d328ef11357635707d154 |
| SHA1 | 8b6dcb4b9952b362f739a3f16ae96c44bea94a0e |
| SHA256 | 8af6d70d44bb9398733f88bcfb6d2085dd1a193cd00e52120b96a651f6e35ebe |
| SHA512 | 4be9febb583364da75b6fb3a43a8b50ee29ca8fc1dda35b96c0fcc493342372f69b4f27f2604888bca099c8d00f38a16f4c9463c16eff098227d812c29563643 |
C:\Users\Admin\AppData\Local\Temp\_MEI13802\select.pyd
| MD5 | c119811a40667dca93dfe6faa418f47a |
| SHA1 | 113e792b7dcec4366fc273e80b1fc404c309074c |
| SHA256 | 8f27cd8c5071cb740a2191b3c599e99595b121f461988166f07d9f841e7116b7 |
| SHA512 | 107257dbd8cf2607e4a1c7bef928a6f61ebdfc21be1c4bdc3a649567e067e9bb7ea40c0ac8844d2cedd08682447b963148b52f85adb1837f243df57af94c04b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI13802\_lzma.pyd
| MD5 | 0a94c9f3d7728cf96326db3ab3646d40 |
| SHA1 | 8081df1dca4a8520604e134672c4be79eb202d14 |
| SHA256 | 0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31 |
| SHA512 | 6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087 |
C:\Users\Admin\AppData\Local\Temp\_MEI13802\psutil\_psutil_windows.pyd
| MD5 | ebefbc98d468560b222f2d2d30ebb95c |
| SHA1 | ee267e3a6e5bed1a15055451efcccac327d2bc43 |
| SHA256 | 67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478 |
| SHA512 | ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3 |
C:\Users\Admin\AppData\Local\Temp\_MEI13802\_bz2.pyd
| MD5 | bbe89cf70b64f38c67b7bf23c0ea8a48 |
| SHA1 | 44577016e9c7b463a79b966b67c3ecc868957470 |
| SHA256 | 775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723 |
| SHA512 | 3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1 |
memory/3756-94-0x00000179473E0000-0x00000179473E1000-memory.dmp
memory/3756-95-0x00000179473E0000-0x00000179473E1000-memory.dmp
memory/3756-93-0x00000179473E0000-0x00000179473E1000-memory.dmp
memory/3756-99-0x00000179473E0000-0x00000179473E1000-memory.dmp
memory/3756-100-0x00000179473E0000-0x00000179473E1000-memory.dmp
memory/3756-105-0x00000179473E0000-0x00000179473E1000-memory.dmp
memory/3756-104-0x00000179473E0000-0x00000179473E1000-memory.dmp
memory/3756-103-0x00000179473E0000-0x00000179473E1000-memory.dmp
memory/3756-102-0x00000179473E0000-0x00000179473E1000-memory.dmp
memory/3756-101-0x00000179473E0000-0x00000179473E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3eb3833f769dd890afc295b977eab4b4 |
| SHA1 | e857649b037939602c72ad003e5d3698695f436f |
| SHA256 | c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485 |
| SHA512 | c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d6d1b8bb34838ccf42d5f69e919b1612 |
| SHA1 | 20e9df1f5dd5908ce1b537d158961e0b1674949e |
| SHA256 | 8a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491 |
| SHA512 | ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d |
memory/3644-118-0x000001BAEF660000-0x000001BAEF87D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c5f67682ca7a065a4b73be7f11a53548 |
| SHA1 | f7439e2bdd1dccdfd581db2e24b7bd51b274837e |
| SHA256 | 4644634fe9c942d8f31365e20782bf623f10381766602cf34bd76ae1cc68785f |
| SHA512 | 4291d74ee55d41bdfe91d14e3a16a0e3cf592f077ffeb7424b7943ee4ab3a40e3b7cd1c3b9826110c46544d6e60aa9e933b473863f63b5b52a4013a50a9c0b82 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dece17e8b3d1cc0b29cf5a977b68730e |
| SHA1 | e24e56624c7701b349a5a07642e9b9d902196f55 |
| SHA256 | 1f78459e977340a708884f6f42099ad6914a855ee98cba6c09bbb2b56dbaa908 |
| SHA512 | 8a966a00209f43ebc4051c3433aa12ce4e9a2f85acfb428f87fc7fd222549085c115df2372cbc29836a926950a38400a68e29c6f89c8f237a14c7833a92eb8a4 |
memory/2132-141-0x000001D936910000-0x000001D936B2D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4aa4b21add005cf520e9ea725480490d |
| SHA1 | 31a5df10177a05854ceb8e66b45b40dd391a6a43 |
| SHA256 | d36e141708e0da78d853a98ce9c04d6a91a65184a8490a0ce5f7c0d20ef2a1f0 |
| SHA512 | dbaaa7d1d3342417f11447c6e9eff797d310bf1ebadd45fd2379f1990cb214bbce0a4562cee998c455b2d0dfd0718eff67d63b75a412c2bfb4c2fdaaa6a49dc4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Data Compiler.lnk
| MD5 | 5ca1d36ee11fc9540370616622b24afd |
| SHA1 | b65614f0e63714fe3d7028764de165405adb7f81 |
| SHA256 | ac412bfb168f8968a85e0ab1bfb958f622d65e031a7f1de20d8349b2ab6ca6e7 |
| SHA512 | 8c041af2cf648296d77305f47d942e994ae04de0736fb96209d175711609bcb2669b9b4f4a3b6db3d3afba7f770fe64fbe3e049beef35c76e55492c22061366c |