Malware Analysis Report

2024-08-06 19:28

Sample ID 240514-wjgllsgg8w
Target 4266b7f3f525ce59b02793f29c0793b2_JaffaCakes118
SHA256 58b345e6951ae9bbb11ca7da778be357e015f969c2ca4f9fd68de188da95a5a2
Tags
darkcomet big money persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58b345e6951ae9bbb11ca7da778be357e015f969c2ca4f9fd68de188da95a5a2

Threat Level: Known bad

The file 4266b7f3f525ce59b02793f29c0793b2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet big money persistence rat trojan

Modifies WinLogon for persistence

Darkcomet

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-14 17:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 17:56

Reported

2024-05-14 17:59

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr" /S

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe N/A
N/A N/A C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\60748084\\xup.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\60748084\\VIR_GX~1" C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2172 set thread context of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 1668 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 1668 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 1668 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 1668 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 1668 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 1668 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 1960 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 1960 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 1960 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 1960 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 1960 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 1960 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 1960 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2172 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 768 wrote to memory of 2016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
PID 768 wrote to memory of 2016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
PID 768 wrote to memory of 2016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
PID 768 wrote to memory of 2016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
PID 768 wrote to memory of 2016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
PID 768 wrote to memory of 2016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
PID 768 wrote to memory of 2016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr

"C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr" /S

C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe

"C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe" vir=gxe

C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe

C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Users\Admin\AppData\Local\Temp\60748084\OXNZY

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\60748084\xup.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Local\Temp\60748084\vir=gxe

MD5 6966e3f5a812ccfa6cf64bd9ca781a4f
SHA1 eb3d3bc8f88ffa69e0169d45a7036b2978c0312e
SHA256 e462dff41fef6a4919ba0d5bbc15185be323a441ed1441891431a628dedd793f
SHA512 edd99cb924b46a1b45044b9ffafdbc3921bedd0ea98bb5eb67af8f3e07a767793bed992f3d3138d945ce6b57ad580fcbe35c2a8151a84d4b279f45890f649706

C:\Users\Admin\AppData\Local\Temp\60748084\muj.mp4

MD5 520a037b18e1c53010df3cdb7453bd11
SHA1 f1143437176c5381dfc465d0193309e2613f6cf6
SHA256 aa297dd63358b4f6ee80d864abc884cb2ae99c70e59cb74b9d074a517ac0053e
SHA512 f351b5c17781c9862acb67b7cc44438a2af515832d6732ad7d286d68b004c44901286d3301f006346abd5eae9f93193bd4b353d272400a3719f493ad10f60148

C:\Users\Admin\AppData\Local\Temp\60748084\xhw.ppt

MD5 7ef358ab2e7323d27e74a336f533177a
SHA1 1d64f54e110ab71be948333784f0ea9782b4447f
SHA256 8821f2668ef13d8dd500d8ffd866a64e3f905f6d5349f1fde44eb13344bb1ea2
SHA512 418d6df679b104f7a25fc2fc1a623484a15baba4744057b831ce91d8a11a11246cfda54c9e41b6d0487a475ae2dba1c3354c67459d717a6995811e377b142c7a

C:\Users\Admin\AppData\Local\Temp\60748084\vei.ico

MD5 eeb43f5c5a4adceea67484f4bceb2824
SHA1 fe187a8982dbd2d7e7fa781d0deffafba06cbc1e
SHA256 7b2ef6d386af1dea8cda45074867022f02f639368102727c47baadeda4c0fa66
SHA512 6d6309e8d6fdedb0f86a6d9c24f51f693822e0aa7005c6c050cbab2679f758f96525b0acda7aaa05cdd16510fd01b1045a458ab51e661b1c3ed6c2df71e1e7dc

C:\Users\Admin\AppData\Local\Temp\60748084\uxo.ppt

MD5 74021a8f6c474e54ebc03f958a2ee625
SHA1 544492104d5fd9e3ea1ecf2eb47ac0c493c8a059
SHA256 ef21fd919ee673bf93066885121bac6dae6dd7dfd37f9e0400b00f54be5a0439
SHA512 3190c402d1a90870fcde7d733352ef7e55b10d3ad0deb44e091ef286801c163dd1aa71d1908fd105eb15dcece6eeda8497ef2d7d2ae77a5d93ca8324ded6a51d

C:\Users\Admin\AppData\Local\Temp\60748084\ukn.jpg

MD5 3c666fbdc460f3abb0512e3ffcf3aafd
SHA1 817ea5b68b582c37a23ef2bd3348097737af5d19
SHA256 cb46ab6690c2c60c6c3c218da9cbe5cb75ac4a8a5ec1559decf6595bb6ec806f
SHA512 bc0fc22d568af308684b9da41cc0894a23403687882a448d9ec009a39299b7ba4ca9d059fc2d7d63fd3a4e10cbb3253b6f34acfce33b39efa8b8907174eb7f05

C:\Users\Admin\AppData\Local\Temp\60748084\uep.bmp

MD5 be76cfc488c99ab5fafe42ac801682a2
SHA1 e51749f599d5ca3173582c362caa85adb88f2325
SHA256 df0bf5657084bb21486d69d662d851d556d135a723b9b7f3d453f6f25ba67f4b
SHA512 7bfce392a797461d5857ac12829577b0ebc233d7148ff67772293b84909186854200775b20ae7eb49974b0f2502c13c742eca52bd2fa0fb0046f1416b4a19ce3

C:\Users\Admin\AppData\Local\Temp\60748084\sub.ppt

MD5 cd94e9157418207a7431b5ed173c7f5c
SHA1 6f64a66ae6a9a60b971a5c3955d6b253661feb18
SHA256 e12a03ab9391e8e83168a4e0e6f38081c493758135db1c90234c479ce9c5c3ed
SHA512 3ff5c039d8588c79de10679cb5fec1d60f676a83f3f33a5e556b1267d9d316ea125947849d6f1de02a8fed93045ef2fe9d624e755bd31251171c349b5ec81f8e

C:\Users\Admin\AppData\Local\Temp\60748084\sps.dat

MD5 77c55091f151ad66d338b07c25337dec
SHA1 ae27f3ffa8c84264c4c5a6624e13379e191e07b7
SHA256 049a836c2d1566907f587ae0d3666630e5c6b4e474f0aa84b1df4fc94d993f00
SHA512 4bea4ca274c01d015ad308a542796d42b3b095c48c3cedda94f2048ed1f62bf9543237245188934334ae077af6174360260fd4a6ac5ad53d3a5e4027877b014d

C:\Users\Admin\AppData\Local\Temp\60748084\spp.mp4

MD5 83b5a7c3c11f44f42aa9851f919c833c
SHA1 3dd4d6a0eb77464fa1e5cf005356ff5078128914
SHA256 7b4c2bacd4bd15ebf0812cdee67d2b2ce15d8ad6f55e2b525d7514169daeb3a1
SHA512 3df11098a3d1adbe013642e3cadf385251fa31c5e4e8039ada63e19b789196bfd8df152add4d6011506f3a8df457cc295dbff873c3bd4bc51b9022f5d9b5d003

C:\Users\Admin\AppData\Local\Temp\60748084\rnu.bmp

MD5 f870488ba43f6bdefabf848f4972f63a
SHA1 4dda62f86f69238a06f2f4b9e1ff037dd4a87653
SHA256 8e321e251904d1926462522d12eef43aac726679e6a0c8768301024f7c9517c8
SHA512 0e3e54a6a32b4d5bd8952886dbdc1018b72fae14f4d53337623a6b36108f45089f4873fa1138d81fc98b01fa9c0e1d8e8b8fa75b76976fa96a263c029c81c976

C:\Users\Admin\AppData\Local\Temp\60748084\qix.bmp

MD5 d97abd5bdd067cdd3a42b5c65f63e96e
SHA1 c9023a608372c07af7d5ad1f54861668e3e8663d
SHA256 03bcf514d4a6d7a7a2dd50ee48d71ba701932592650c7b3575044e2021ba80d1
SHA512 45dbb3de027f638d4531f2ffdb6fc814e8e0e1ef054ed83bcd30cece014a89600291fca0599a272c7e1416f4015711834d62786f8e8d1150b1098bd34e867a8c

C:\Users\Admin\AppData\Local\Temp\60748084\qer.bmp

MD5 da1ee8e4494833fe542606e175498c9c
SHA1 73621d5c202afc5ba3329ddadd16da1c599f8bce
SHA256 a84437c7e2e4c4af2489f1dad06af4d2f51a6750527aba02d607d7866f9e933f
SHA512 2e6da0a850ba38110a5a079b1d3a863f9dbcb990d48961292aaa29054a9041acb4c2b5c96f45d920fb40cc1bd15ca3ae0851d1b4f44846145bc65d1d22efc3c0

C:\Users\Admin\AppData\Local\Temp\60748084\qbh.xl

MD5 1df1287818564dbda36a6dabb94c91e7
SHA1 35774859bd567f28331af06f51730e1ac07f05dc
SHA256 362640b6162a633b9e175b9f0b47262e792396267a9c297007ddc34af2f91591
SHA512 bdd6ea0c9a985816adbac9b25abf1ad8ba68144fcd25bde63d4ebab783510819fa3c0cd62f9ac2b15fbb028bb371df8d3826ae19b29badde62bec6752eedbded

C:\Users\Admin\AppData\Local\Temp\60748084\ptu.txt

MD5 2065e5988d40b506876a001488909aec
SHA1 a3320db0b57da29f91dad29024da1a571865237b
SHA256 a2f3caabafaa8611d4c68ba51209156e5f706fb536c7c7cdbd88e90b822424b8
SHA512 3ef70ce2640422e7ea63b828d0c192880f986be5f43285063c0958fa7f37d21584629f049f3178c954b4d3b1c0b20343b1304eab721d103f48dd6a4d417344ee

C:\Users\Admin\AppData\Local\Temp\60748084\prj.pdf

MD5 b18f85a41fa08ffc88fd2d20ec9d2a5a
SHA1 320002f029886d5701c10f14af0160584ff459b1
SHA256 1a52148bb7e8483aa4e84212f6732519d3dd1619283d7b964f309df5e10ff2d3
SHA512 a74539a1b4abab2ff556b4d41275c7189997edc7e87a70e5a6fc19adee75f00dcc82ec322aa63f8d09ef26f23b4117a685e93229d6047a124235e512d5ec14b0

C:\Users\Admin\AppData\Local\Temp\60748084\poa.xl

MD5 d5763c03626fbb20e26d8a70d14b184f
SHA1 a587f64c7694cf1371827983004b7af99610e872
SHA256 d0a3f735b11a10444a7d238a75a63e0200983a9841237e0288689a8b4e00acb5
SHA512 1b0ce0290e25dd9ba42e84213462fd95171112039e73116ae7af31afbc86dc2dbabbbc5ee4c1bcc38ca114075b7be1c705f72a7509664240b0bdf43e5e164763

C:\Users\Admin\AppData\Local\Temp\60748084\olj.icm

MD5 f8962052a9be8710067e42b7dd37c27c
SHA1 92b2964996916aa4fddc4ced4166d7baf2a380d4
SHA256 bfb9f527d23e3eeb0b58b4cc2bb3b554727fbb3391ea77446f6410979aa9cd1f
SHA512 b9962d75d7bb607b5270362014cc13c46add08b7cf8b13d507f1426e7cd99ba2e4a02415d8d8ec94e0e817c2ed381013a98ed249ecc5e820fdd20e569d0ec6ce

C:\Users\Admin\AppData\Local\Temp\60748084\oin.docx

MD5 cc917430679676df4bb52cfc46519cf1
SHA1 63983d0933f13cb3b3e2e6b5640740edd3e87e3a
SHA256 44b4bded2fd7aed4b5a8eb0579ae3aefd72d5f5c677a0009cbfd7cf1478ca42e
SHA512 7d135b2e7932d004506d0c109506db6a8fd34e3d288699e7fd477019f6643b3e340085c5ff69118f6f1d6ac80aaee36748522c1155a6a8483eb989c50fb8d709

C:\Users\Admin\AppData\Local\Temp\60748084\nst.xl

MD5 553e3877bbe30e45e4c672b7089f44da
SHA1 58d17a6bf383c674674fad485beb14b6719e9e01
SHA256 371bbd014dc8732c87929b8dce14a832136f83f765661dd6b183d058dffeb52b
SHA512 0df093c204c0c1379cef0ce8847c3201f3cb6617c37818f11f86cb4941f1d57184ff5eac832877aff044d795d98a9d3736dfbfc3fba156b9dcd492808a7a5132

C:\Users\Admin\AppData\Local\Temp\60748084\nmk.pdf

MD5 e7698f958f9c7766bc0298d69d2eaa86
SHA1 c09c27b0701dc0f477e917f7c7595f3de1ebbf2b
SHA256 8efd7385665e26ee0e93564ecf975a74f2c319ac9ea67411d894e965d9809599
SHA512 973a28e8531f6beeeb9a11bc81933f05e385a965ed98292fd9341d6528f182dcd52385f4b72d8f4e7b2ae2c202154ff2346a2baf89e8c5ddbf4fcfb7d447a712

C:\Users\Admin\AppData\Local\Temp\60748084\mqi.ico

MD5 f17755adc1bd60e072002500e9f2da3f
SHA1 572d141a1013862ed9e3b0e088a1cfd49f81379f
SHA256 2e16b21d2c56a63c3a2091ee9d5e8d27a4af4da54fbe7ae5b87e2cb2cf6e591d
SHA512 347c50a35e991e962f09d8d69589e1d920136ca683b7e5d7d22e2e05a79370db65dc8c6e35d8e3965e9be75efa86968770a0af7fba8efe55c9dacca0a1fe010b

C:\Users\Admin\AppData\Local\Temp\60748084\mmg.jpg

MD5 b24239198c3b38776cb4c76f40772032
SHA1 93b148fc1af632b3cc02f11f246636e79a131c8f
SHA256 2d4858fab6314d93924b056773c7d559823ed2c91b05b35f96d3bde66e7a0abe
SHA512 616287ef675e5e22f13293f62b3404b937c858ce2c4061e067c9f17a5a937ddbf3485f3441dc1833d64167218c03219f377d3d5b5cdfc7810c7ed58fd7d89d83

C:\Users\Admin\AppData\Local\Temp\60748084\lmg.docx

MD5 e6a4b2ec3642c1e2eca5332885ff5192
SHA1 c785e74a1ab71f51e426bd97cc441f602e8012b9
SHA256 e8db2485b0700a4327ef16b3377eea803232e9fea7045dccd38ae2f375a714a8
SHA512 4f3b1730034882060f4f11212967d6724ffa4a93148775a8041e221f98448990c914ed652b5ff29f35b9ab361c897523a1be9265b1f4049eb073ed8514e682da

C:\Users\Admin\AppData\Local\Temp\60748084\lbc.icm

MD5 8eadc690507c46a25a2c5ff3c6fbb98c
SHA1 443e42a47d056ea18d9a714ebcef121641b63326
SHA256 58cfb44b55969dcd46d6e5d45f1808786df87d1de42c2876cd31a9cf6f115129
SHA512 3550d378a9de864bf58b31d4156a776bb32f7255d050164e32f327783886a2050dca5faa2731db9a56686c80cd869db033f3e53c854768660fd08613b5b5616f

C:\Users\Admin\AppData\Local\Temp\60748084\koi.xl

MD5 18d9863d59d51e5dc7453772589599ad
SHA1 e980b9683f358a9b9ec8bded0c8e7f60d6d78434
SHA256 7ed097e8701e4e9a6e3c586be8a4c4c93246ead36967269aa00ce846bad16a2a
SHA512 327e0b95d02ea2208678d1a15133384069a2981869b0983ba13d273d6dc8d8d5ccf4ef31b61d6cebd4f0dddc6dd256de67323f5d5fc9efa4a7c845d59c250295

C:\Users\Admin\AppData\Local\Temp\60748084\jsj.pdf

MD5 619222a29b604dc87d835a0823978618
SHA1 aa81a4963326f965a2a15d4a272510e7aeabeff5
SHA256 6b2336cb760fd056d580b5d91b9e8499a6338821f2d857554bbfe47155712d14
SHA512 60cab44d5733dfe6deabc966aa7f6a70d53bf1f0f5bdfb2be511e3c85bb51f9d939bcb1d176c93a748dc4170749261feaf576f62f17ee56091a8502bc5480592

C:\Users\Admin\AppData\Local\Temp\60748084\iju.bmp

MD5 6b599ee36e844f78ec538719e5e519c8
SHA1 f0941017860bbb7ff14d516fa6056a2c70e556fd
SHA256 f5a620d1ea0157a4ea9081a238174bc10656a8f55f51eef908f557177df846c3
SHA512 242bcced00cca2be7b1f1dc9ce19b3176dd34051fd5b8a0ce02493eb803ac29b48e1c8ecf4395f99ec420b04b2582320e8878b37145cf1cbd01e234a318a6c0d

C:\Users\Admin\AppData\Local\Temp\60748084\hid.docx

MD5 14f50b8bf69beb03b8d37a54900d839a
SHA1 f6aad00f2c08d89cb658caf74b570f9c138e57f7
SHA256 d5e578a2e995b0a0167428b73ce65f40d11161c5dd169866722e3c74a239dd22
SHA512 8f0786fc9bcc396079d5e8372c0c99dfe76b31d464a5f391bb1ec6e228dfae4276961b033fa3f53ba06e1916cd30c56860c736e50d26390606e36789c2a9ec5b

C:\Users\Admin\AppData\Local\Temp\60748084\hbq.icm

MD5 9d28f938334fa0e7f2b975fab975cae6
SHA1 f97b5c570bd02bbb0d4c4545ae5d5cb9916d6103
SHA256 13056f3f3727532332a8d2c942f129738219f4ff53fc60861ded431f96d457e8
SHA512 24396e04952daa13c63863c3f5fb068ed8c46a97daa350bf8693ea5494e561eabcc11e96580949cc7e6433211ae54c6ba7801e78e33f2669299d54c36a8c65f2

C:\Users\Admin\AppData\Local\Temp\60748084\fon.dat

MD5 84af0dc433d4e667f9d26f7d3b730f20
SHA1 eca0623e6930cbc05c552f918612af2ceb9e6564
SHA256 e3a5a6b91cd9a3e1920e1f6727259cdd74d07526ad72c33f7d9935460943363b
SHA512 d8a821c017d29afd9cbb184783f4ab937460dc1c4641c1284005eaf62cf9563849d4dad4d81d64c50f363f7706e5ba885d9c6ede2296fbb6b5b561862885edae

C:\Users\Admin\AppData\Local\Temp\60748084\fao.bmp

MD5 7d4fa65e1d68b9d9758ea294ee234df8
SHA1 9d2ce4f535cb9d6c651c88d14278734bdb498e64
SHA256 a4bc0adc0e2bc9baf9c69c42484de1f3d8708589d9555258b9cc186c9eb3368f
SHA512 be9847ad206c2ccd9ee95699cfe12aa5e64f604e7845362e5d86e5419bfa1c248fbb81f14761f8a6c6c5ca23024ecd90935ade32c24a2b1c57848bed310982fd

C:\Users\Admin\AppData\Local\Temp\60748084\ejg.jpg

MD5 f556ed8ce3360a692b159dac8a166955
SHA1 637871f8cf02c90ed72dba11579b997583b54620
SHA256 9f22f7888583aa88b45354c8dc663d2af2b10abd95a14417be71881b451cde1b
SHA512 add39ed35ae1999b746435c421b64b962e34ff69aaf19b21cd20c178c0cced911aa41917e5489983e0f8b50975e73af36f23ed5c5bf446a613c2200cd67be278

C:\Users\Admin\AppData\Local\Temp\60748084\eak.txt

MD5 6bf1a76f3ab7805d41d5a79bd96f6bed
SHA1 7ef57ba165d2642fecc4043c61a8ecceb126ee3c
SHA256 c0e628591aa502a3b033620c196e64b28492d5f3d450762e23eb4caf89cb1cd7
SHA512 33adaa4c12644f7f58f0ea972a872c0f72558bd203704352b8285ff4941cc85f2ce8a61a244ae2ba85958ecfa5fbf46a8b5881157f527e9bb345d712e13284f7

C:\Users\Admin\AppData\Local\Temp\60748084\dwm.ppt

MD5 ff73177bc8806baa20695c3ea64924f7
SHA1 2a13a93709e34adffbf5b8f6ad5925746dc2ade4
SHA256 811341fe56cc37b429e582260c85575eda07eb5ff59b7cfb41f9100e9975abcc
SHA512 1e1f8ced4bfe07b5f6ec5c34eb79dd7efcf3a03b1fc773fbcd3120d23eadbade8d962f1b152cc57237398c8caf042b8a71f4f82c38c93df4c2859bf2c9ff9085

C:\Users\Admin\AppData\Local\Temp\60748084\dne.mp4

MD5 6aedabdecf2efb782612e5a64d54f28d
SHA1 af42fb46702342cd8d83aec9ce31990cd43fd565
SHA256 8b5caf15df7dc51277e50f8d210b1af9250b9ee2d49023c7c4f856af4b5f93d9
SHA512 6adc5a0e7020d6701353462eaaab6f6295ae67e0d51424b1f209cb2e9ee2e773701c552acdfb99e1a48b287dc4e79ae8860d7bf1924e62a7df4dc911e42591d3

C:\Users\Admin\AppData\Local\Temp\60748084\dke.bmp

MD5 2599f3f2e15dafa610063737f87e570c
SHA1 28331e45257ba5a53601a222b8a1b933168946dc
SHA256 557ae5381c23603c1c2c6517714dc84e49e5b389b14ea2bbbbf25a399cfba325
SHA512 1c26941cb2929e45964f4565610113a8eb1a7ffeaca94a0802903a8313d7c2ee073845065a1b2953a6ecfb433bf9a633ea3ccb1523ac436050099f8c9402f314

C:\Users\Admin\AppData\Local\Temp\60748084\daa.jpg

MD5 d3c880d061584916c81310b0fd23f7ad
SHA1 3dc4476afe884a0d941eb32b3dc31eac78d897a6
SHA256 233a07f12997bdba3c3879a7d3bbf6dcd86445dc434b8a9d026c58971ca83865
SHA512 de4e5f9dfe4dc4f26a6ef57869341bffd051c5b071ff93bf5e5d76effd6996d62112ae0e8f76040048dd8d92ea5ee64cf1d71babda94efc847d23692c12d1ab1

C:\Users\Admin\AppData\Local\Temp\60748084\ckn.pdf

MD5 557254061f5e199663aa53e532c823c4
SHA1 19df493026d1708edc1551b910b4affe9f86d605
SHA256 e8e84759d87cb3e0ec8c380074ec8742af5971373dde9c96e39ad96d1fc1b75a
SHA512 7a7d94982e75ad6bbbfd414c68ef0670dd271bd0b8a67df1fc439afed5ac5015b2f15a2b975292646d05585217594f072c22d00b3b3fcd6b8ca950b56c990c3e

C:\Users\Admin\AppData\Local\Temp\60748084\cgl.mp4

MD5 6148f84c376c9edb9c27218e53cda4e7
SHA1 e46ff8ed09e90eb9397f01f302468b4602997dc4
SHA256 bb91f56b21293b707e10a87812c8080247e2088cd001f5b4ac90557dcdd24be7
SHA512 801c1fad6345b2d5a52f192c08b9e6289acb5d6519f24d159c11e09391a0ceee1e5d316bcd2cac8d8556c217371543c75643085903bfee82936e98f877ea84fd

C:\Users\Admin\AppData\Local\Temp\60748084\cew.ppt

MD5 e62e907f8ac63a23a48bfefbaae0f817
SHA1 20ed5a17f74ec84ce20ac5036e64535999102502
SHA256 366e722ac40e4871ed6b49e0383dcb37b415371cc562d0361cc2c7b4f27f3345
SHA512 f1a2d4adffacd8842973a5758c12c1b10686da9f573fde393972de4ffe5201dd79075d99bd4a259d1b9bfb4d9b04d19a0e2bf94b9263bae1448701ae35210ac5

C:\Users\Admin\AppData\Local\Temp\60748084\bpc.txt

MD5 73a4ddbff1464e232328647240047417
SHA1 41b2874ad08774e145a60d9ebd75a309b40919e3
SHA256 7233966f9b43d7c06531cabcc3308e241a53381203b34757663c605628ae3fb9
SHA512 015e08c207e9f4fc837204437613d9a59fd20d69502806c25cde5b5f86a72a9a220917900a9e3f994549d2ca27df9ad41e603cb677d5cc76b48fdbf224d98e7b

C:\Users\Admin\AppData\Local\Temp\60748084\bke.docx

MD5 7b027091faa7599c8c878baa40380f80
SHA1 e1faf0a90e2f1284b29564a3c721354ebf1c578e
SHA256 5cdc494c02ed18a56b96d9de2ee3209c681651b5d5a774008d9e71207462d4f8
SHA512 d1b979dd9fc91a4cf5b35c266867a845400b6b5c6227ca28d7198bd47c8dfe0b513557695fd1c81a484575f6e4572815e21fa89a088673e3dfad565d7f33dd5d

C:\Users\Admin\AppData\Local\Temp\60748084\aeo.txt

MD5 7e68c80144b98534c69062c5d4f63193
SHA1 4fa510145f920a5a01d63d7e7cd3092f02faae92
SHA256 ed28e914111ebbefe6db0146d502d9002bd7e20f19a5281eb28c4cc13d4f3469
SHA512 fd4b2bb086bb599e2b0dde1e9c4ec61baa390d7e352b92c4b712e1725a35b0286bd0b2f32663aba13051043dab32ecf280491fa085c2b28c55e82afce2281f59

C:\Users\Admin\AppData\Local\Temp\60748084\OXNZY

MD5 2119ba402290f6647533f887df75ede1
SHA1 f08072e37a05758c82184cdea2d9644241c5990f
SHA256 fa6d5ee9d2f03c43af730b9bb60eeaae88e4b5c7abfebb9190dbc2c9aa13f59e
SHA512 bde4ec9bdc4429747df1cf4cd30c33986c7b92cb24f51497886326c590f1cfbd9906c9770dbe0c36408355e29259be6a34bc2504d135af3931fc95ee695d4c50

memory/768-152-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/768-156-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/768-168-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/768-169-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/768-166-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/768-164-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/768-162-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/768-160-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/768-154-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/768-158-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/768-172-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/768-170-0x0000000000400000-0x00000000004B2000-memory.dmp

\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/2016-180-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

memory/2016-181-0x00000000008A0000-0x00000000008C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 17:56

Reported

2024-05-14 17:59

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr" /S

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\60748084\\xup.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\60748084\\VIR_GX~1" C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 684 set thread context of 544 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4124 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 4124 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 4124 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 4244 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 4244 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 4244 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe
PID 684 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 684 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 684 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 684 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr

"C:\Users\Admin\AppData\Local\Temp\QUOTATION.scr" /S

C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe

"C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe" vir=gxe

C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe

C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe C:\Users\Admin\AppData\Local\Temp\60748084\ZAKZR

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 544 -ip 544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 80

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 248.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.90.14.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\60748084\xup.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Local\Temp\60748084\vir=gxe

MD5 6966e3f5a812ccfa6cf64bd9ca781a4f
SHA1 eb3d3bc8f88ffa69e0169d45a7036b2978c0312e
SHA256 e462dff41fef6a4919ba0d5bbc15185be323a441ed1441891431a628dedd793f
SHA512 edd99cb924b46a1b45044b9ffafdbc3921bedd0ea98bb5eb67af8f3e07a767793bed992f3d3138d945ce6b57ad580fcbe35c2a8151a84d4b279f45890f649706

C:\Users\Admin\AppData\Local\Temp\60748084\muj.mp4

MD5 520a037b18e1c53010df3cdb7453bd11
SHA1 f1143437176c5381dfc465d0193309e2613f6cf6
SHA256 aa297dd63358b4f6ee80d864abc884cb2ae99c70e59cb74b9d074a517ac0053e
SHA512 f351b5c17781c9862acb67b7cc44438a2af515832d6732ad7d286d68b004c44901286d3301f006346abd5eae9f93193bd4b353d272400a3719f493ad10f60148

C:\Users\Admin\AppData\Local\Temp\60748084\aeo.txt

MD5 7e68c80144b98534c69062c5d4f63193
SHA1 4fa510145f920a5a01d63d7e7cd3092f02faae92
SHA256 ed28e914111ebbefe6db0146d502d9002bd7e20f19a5281eb28c4cc13d4f3469
SHA512 fd4b2bb086bb599e2b0dde1e9c4ec61baa390d7e352b92c4b712e1725a35b0286bd0b2f32663aba13051043dab32ecf280491fa085c2b28c55e82afce2281f59

C:\Users\Admin\AppData\Local\Temp\60748084\koi.xl

MD5 18d9863d59d51e5dc7453772589599ad
SHA1 e980b9683f358a9b9ec8bded0c8e7f60d6d78434
SHA256 7ed097e8701e4e9a6e3c586be8a4c4c93246ead36967269aa00ce846bad16a2a
SHA512 327e0b95d02ea2208678d1a15133384069a2981869b0983ba13d273d6dc8d8d5ccf4ef31b61d6cebd4f0dddc6dd256de67323f5d5fc9efa4a7c845d59c250295

C:\Users\Admin\AppData\Local\Temp\60748084\jsj.pdf

MD5 619222a29b604dc87d835a0823978618
SHA1 aa81a4963326f965a2a15d4a272510e7aeabeff5
SHA256 6b2336cb760fd056d580b5d91b9e8499a6338821f2d857554bbfe47155712d14
SHA512 60cab44d5733dfe6deabc966aa7f6a70d53bf1f0f5bdfb2be511e3c85bb51f9d939bcb1d176c93a748dc4170749261feaf576f62f17ee56091a8502bc5480592

C:\Users\Admin\AppData\Local\Temp\60748084\iju.bmp

MD5 6b599ee36e844f78ec538719e5e519c8
SHA1 f0941017860bbb7ff14d516fa6056a2c70e556fd
SHA256 f5a620d1ea0157a4ea9081a238174bc10656a8f55f51eef908f557177df846c3
SHA512 242bcced00cca2be7b1f1dc9ce19b3176dd34051fd5b8a0ce02493eb803ac29b48e1c8ecf4395f99ec420b04b2582320e8878b37145cf1cbd01e234a318a6c0d

C:\Users\Admin\AppData\Local\Temp\60748084\hid.docx

MD5 14f50b8bf69beb03b8d37a54900d839a
SHA1 f6aad00f2c08d89cb658caf74b570f9c138e57f7
SHA256 d5e578a2e995b0a0167428b73ce65f40d11161c5dd169866722e3c74a239dd22
SHA512 8f0786fc9bcc396079d5e8372c0c99dfe76b31d464a5f391bb1ec6e228dfae4276961b033fa3f53ba06e1916cd30c56860c736e50d26390606e36789c2a9ec5b

C:\Users\Admin\AppData\Local\Temp\60748084\hbq.icm

MD5 9d28f938334fa0e7f2b975fab975cae6
SHA1 f97b5c570bd02bbb0d4c4545ae5d5cb9916d6103
SHA256 13056f3f3727532332a8d2c942f129738219f4ff53fc60861ded431f96d457e8
SHA512 24396e04952daa13c63863c3f5fb068ed8c46a97daa350bf8693ea5494e561eabcc11e96580949cc7e6433211ae54c6ba7801e78e33f2669299d54c36a8c65f2

C:\Users\Admin\AppData\Local\Temp\60748084\fon.dat

MD5 84af0dc433d4e667f9d26f7d3b730f20
SHA1 eca0623e6930cbc05c552f918612af2ceb9e6564
SHA256 e3a5a6b91cd9a3e1920e1f6727259cdd74d07526ad72c33f7d9935460943363b
SHA512 d8a821c017d29afd9cbb184783f4ab937460dc1c4641c1284005eaf62cf9563849d4dad4d81d64c50f363f7706e5ba885d9c6ede2296fbb6b5b561862885edae

C:\Users\Admin\AppData\Local\Temp\60748084\fao.bmp

MD5 7d4fa65e1d68b9d9758ea294ee234df8
SHA1 9d2ce4f535cb9d6c651c88d14278734bdb498e64
SHA256 a4bc0adc0e2bc9baf9c69c42484de1f3d8708589d9555258b9cc186c9eb3368f
SHA512 be9847ad206c2ccd9ee95699cfe12aa5e64f604e7845362e5d86e5419bfa1c248fbb81f14761f8a6c6c5ca23024ecd90935ade32c24a2b1c57848bed310982fd

C:\Users\Admin\AppData\Local\Temp\60748084\bke.docx

MD5 7b027091faa7599c8c878baa40380f80
SHA1 e1faf0a90e2f1284b29564a3c721354ebf1c578e
SHA256 5cdc494c02ed18a56b96d9de2ee3209c681651b5d5a774008d9e71207462d4f8
SHA512 d1b979dd9fc91a4cf5b35c266867a845400b6b5c6227ca28d7198bd47c8dfe0b513557695fd1c81a484575f6e4572815e21fa89a088673e3dfad565d7f33dd5d

C:\Users\Admin\AppData\Local\Temp\60748084\lmg.docx

MD5 e6a4b2ec3642c1e2eca5332885ff5192
SHA1 c785e74a1ab71f51e426bd97cc441f602e8012b9
SHA256 e8db2485b0700a4327ef16b3377eea803232e9fea7045dccd38ae2f375a714a8
SHA512 4f3b1730034882060f4f11212967d6724ffa4a93148775a8041e221f98448990c914ed652b5ff29f35b9ab361c897523a1be9265b1f4049eb073ed8514e682da

C:\Users\Admin\AppData\Local\Temp\60748084\lbc.icm

MD5 8eadc690507c46a25a2c5ff3c6fbb98c
SHA1 443e42a47d056ea18d9a714ebcef121641b63326
SHA256 58cfb44b55969dcd46d6e5d45f1808786df87d1de42c2876cd31a9cf6f115129
SHA512 3550d378a9de864bf58b31d4156a776bb32f7255d050164e32f327783886a2050dca5faa2731db9a56686c80cd869db033f3e53c854768660fd08613b5b5616f

C:\Users\Admin\AppData\Local\Temp\60748084\ejg.jpg

MD5 f556ed8ce3360a692b159dac8a166955
SHA1 637871f8cf02c90ed72dba11579b997583b54620
SHA256 9f22f7888583aa88b45354c8dc663d2af2b10abd95a14417be71881b451cde1b
SHA512 add39ed35ae1999b746435c421b64b962e34ff69aaf19b21cd20c178c0cced911aa41917e5489983e0f8b50975e73af36f23ed5c5bf446a613c2200cd67be278

C:\Users\Admin\AppData\Local\Temp\60748084\eak.txt

MD5 6bf1a76f3ab7805d41d5a79bd96f6bed
SHA1 7ef57ba165d2642fecc4043c61a8ecceb126ee3c
SHA256 c0e628591aa502a3b033620c196e64b28492d5f3d450762e23eb4caf89cb1cd7
SHA512 33adaa4c12644f7f58f0ea972a872c0f72558bd203704352b8285ff4941cc85f2ce8a61a244ae2ba85958ecfa5fbf46a8b5881157f527e9bb345d712e13284f7

C:\Users\Admin\AppData\Local\Temp\60748084\dwm.ppt

MD5 ff73177bc8806baa20695c3ea64924f7
SHA1 2a13a93709e34adffbf5b8f6ad5925746dc2ade4
SHA256 811341fe56cc37b429e582260c85575eda07eb5ff59b7cfb41f9100e9975abcc
SHA512 1e1f8ced4bfe07b5f6ec5c34eb79dd7efcf3a03b1fc773fbcd3120d23eadbade8d962f1b152cc57237398c8caf042b8a71f4f82c38c93df4c2859bf2c9ff9085

C:\Users\Admin\AppData\Local\Temp\60748084\mmg.jpg

MD5 b24239198c3b38776cb4c76f40772032
SHA1 93b148fc1af632b3cc02f11f246636e79a131c8f
SHA256 2d4858fab6314d93924b056773c7d559823ed2c91b05b35f96d3bde66e7a0abe
SHA512 616287ef675e5e22f13293f62b3404b937c858ce2c4061e067c9f17a5a937ddbf3485f3441dc1833d64167218c03219f377d3d5b5cdfc7810c7ed58fd7d89d83

C:\Users\Admin\AppData\Local\Temp\60748084\dne.mp4

MD5 6aedabdecf2efb782612e5a64d54f28d
SHA1 af42fb46702342cd8d83aec9ce31990cd43fd565
SHA256 8b5caf15df7dc51277e50f8d210b1af9250b9ee2d49023c7c4f856af4b5f93d9
SHA512 6adc5a0e7020d6701353462eaaab6f6295ae67e0d51424b1f209cb2e9ee2e773701c552acdfb99e1a48b287dc4e79ae8860d7bf1924e62a7df4dc911e42591d3

C:\Users\Admin\AppData\Local\Temp\60748084\dke.bmp

MD5 2599f3f2e15dafa610063737f87e570c
SHA1 28331e45257ba5a53601a222b8a1b933168946dc
SHA256 557ae5381c23603c1c2c6517714dc84e49e5b389b14ea2bbbbf25a399cfba325
SHA512 1c26941cb2929e45964f4565610113a8eb1a7ffeaca94a0802903a8313d7c2ee073845065a1b2953a6ecfb433bf9a633ea3ccb1523ac436050099f8c9402f314

C:\Users\Admin\AppData\Local\Temp\60748084\daa.jpg

MD5 d3c880d061584916c81310b0fd23f7ad
SHA1 3dc4476afe884a0d941eb32b3dc31eac78d897a6
SHA256 233a07f12997bdba3c3879a7d3bbf6dcd86445dc434b8a9d026c58971ca83865
SHA512 de4e5f9dfe4dc4f26a6ef57869341bffd051c5b071ff93bf5e5d76effd6996d62112ae0e8f76040048dd8d92ea5ee64cf1d71babda94efc847d23692c12d1ab1

C:\Users\Admin\AppData\Local\Temp\60748084\ckn.pdf

MD5 557254061f5e199663aa53e532c823c4
SHA1 19df493026d1708edc1551b910b4affe9f86d605
SHA256 e8e84759d87cb3e0ec8c380074ec8742af5971373dde9c96e39ad96d1fc1b75a
SHA512 7a7d94982e75ad6bbbfd414c68ef0670dd271bd0b8a67df1fc439afed5ac5015b2f15a2b975292646d05585217594f072c22d00b3b3fcd6b8ca950b56c990c3e

C:\Users\Admin\AppData\Local\Temp\60748084\cgl.mp4

MD5 6148f84c376c9edb9c27218e53cda4e7
SHA1 e46ff8ed09e90eb9397f01f302468b4602997dc4
SHA256 bb91f56b21293b707e10a87812c8080247e2088cd001f5b4ac90557dcdd24be7
SHA512 801c1fad6345b2d5a52f192c08b9e6289acb5d6519f24d159c11e09391a0ceee1e5d316bcd2cac8d8556c217371543c75643085903bfee82936e98f877ea84fd

C:\Users\Admin\AppData\Local\Temp\60748084\cew.ppt

MD5 e62e907f8ac63a23a48bfefbaae0f817
SHA1 20ed5a17f74ec84ce20ac5036e64535999102502
SHA256 366e722ac40e4871ed6b49e0383dcb37b415371cc562d0361cc2c7b4f27f3345
SHA512 f1a2d4adffacd8842973a5758c12c1b10686da9f573fde393972de4ffe5201dd79075d99bd4a259d1b9bfb4d9b04d19a0e2bf94b9263bae1448701ae35210ac5

C:\Users\Admin\AppData\Local\Temp\60748084\bpc.txt

MD5 73a4ddbff1464e232328647240047417
SHA1 41b2874ad08774e145a60d9ebd75a309b40919e3
SHA256 7233966f9b43d7c06531cabcc3308e241a53381203b34757663c605628ae3fb9
SHA512 015e08c207e9f4fc837204437613d9a59fd20d69502806c25cde5b5f86a72a9a220917900a9e3f994549d2ca27df9ad41e603cb677d5cc76b48fdbf224d98e7b

C:\Users\Admin\AppData\Local\Temp\60748084\xhw.ppt

MD5 7ef358ab2e7323d27e74a336f533177a
SHA1 1d64f54e110ab71be948333784f0ea9782b4447f
SHA256 8821f2668ef13d8dd500d8ffd866a64e3f905f6d5349f1fde44eb13344bb1ea2
SHA512 418d6df679b104f7a25fc2fc1a623484a15baba4744057b831ce91d8a11a11246cfda54c9e41b6d0487a475ae2dba1c3354c67459d717a6995811e377b142c7a

C:\Users\Admin\AppData\Local\Temp\60748084\vei.ico

MD5 eeb43f5c5a4adceea67484f4bceb2824
SHA1 fe187a8982dbd2d7e7fa781d0deffafba06cbc1e
SHA256 7b2ef6d386af1dea8cda45074867022f02f639368102727c47baadeda4c0fa66
SHA512 6d6309e8d6fdedb0f86a6d9c24f51f693822e0aa7005c6c050cbab2679f758f96525b0acda7aaa05cdd16510fd01b1045a458ab51e661b1c3ed6c2df71e1e7dc

C:\Users\Admin\AppData\Local\Temp\60748084\uxo.ppt

MD5 74021a8f6c474e54ebc03f958a2ee625
SHA1 544492104d5fd9e3ea1ecf2eb47ac0c493c8a059
SHA256 ef21fd919ee673bf93066885121bac6dae6dd7dfd37f9e0400b00f54be5a0439
SHA512 3190c402d1a90870fcde7d733352ef7e55b10d3ad0deb44e091ef286801c163dd1aa71d1908fd105eb15dcece6eeda8497ef2d7d2ae77a5d93ca8324ded6a51d

C:\Users\Admin\AppData\Local\Temp\60748084\ukn.jpg

MD5 3c666fbdc460f3abb0512e3ffcf3aafd
SHA1 817ea5b68b582c37a23ef2bd3348097737af5d19
SHA256 cb46ab6690c2c60c6c3c218da9cbe5cb75ac4a8a5ec1559decf6595bb6ec806f
SHA512 bc0fc22d568af308684b9da41cc0894a23403687882a448d9ec009a39299b7ba4ca9d059fc2d7d63fd3a4e10cbb3253b6f34acfce33b39efa8b8907174eb7f05

C:\Users\Admin\AppData\Local\Temp\60748084\uep.bmp

MD5 be76cfc488c99ab5fafe42ac801682a2
SHA1 e51749f599d5ca3173582c362caa85adb88f2325
SHA256 df0bf5657084bb21486d69d662d851d556d135a723b9b7f3d453f6f25ba67f4b
SHA512 7bfce392a797461d5857ac12829577b0ebc233d7148ff67772293b84909186854200775b20ae7eb49974b0f2502c13c742eca52bd2fa0fb0046f1416b4a19ce3

C:\Users\Admin\AppData\Local\Temp\60748084\sub.ppt

MD5 cd94e9157418207a7431b5ed173c7f5c
SHA1 6f64a66ae6a9a60b971a5c3955d6b253661feb18
SHA256 e12a03ab9391e8e83168a4e0e6f38081c493758135db1c90234c479ce9c5c3ed
SHA512 3ff5c039d8588c79de10679cb5fec1d60f676a83f3f33a5e556b1267d9d316ea125947849d6f1de02a8fed93045ef2fe9d624e755bd31251171c349b5ec81f8e

C:\Users\Admin\AppData\Local\Temp\60748084\sps.dat

MD5 77c55091f151ad66d338b07c25337dec
SHA1 ae27f3ffa8c84264c4c5a6624e13379e191e07b7
SHA256 049a836c2d1566907f587ae0d3666630e5c6b4e474f0aa84b1df4fc94d993f00
SHA512 4bea4ca274c01d015ad308a542796d42b3b095c48c3cedda94f2048ed1f62bf9543237245188934334ae077af6174360260fd4a6ac5ad53d3a5e4027877b014d

C:\Users\Admin\AppData\Local\Temp\60748084\spp.mp4

MD5 83b5a7c3c11f44f42aa9851f919c833c
SHA1 3dd4d6a0eb77464fa1e5cf005356ff5078128914
SHA256 7b4c2bacd4bd15ebf0812cdee67d2b2ce15d8ad6f55e2b525d7514169daeb3a1
SHA512 3df11098a3d1adbe013642e3cadf385251fa31c5e4e8039ada63e19b789196bfd8df152add4d6011506f3a8df457cc295dbff873c3bd4bc51b9022f5d9b5d003

C:\Users\Admin\AppData\Local\Temp\60748084\rnu.bmp

MD5 f870488ba43f6bdefabf848f4972f63a
SHA1 4dda62f86f69238a06f2f4b9e1ff037dd4a87653
SHA256 8e321e251904d1926462522d12eef43aac726679e6a0c8768301024f7c9517c8
SHA512 0e3e54a6a32b4d5bd8952886dbdc1018b72fae14f4d53337623a6b36108f45089f4873fa1138d81fc98b01fa9c0e1d8e8b8fa75b76976fa96a263c029c81c976

C:\Users\Admin\AppData\Local\Temp\60748084\qix.bmp

MD5 d97abd5bdd067cdd3a42b5c65f63e96e
SHA1 c9023a608372c07af7d5ad1f54861668e3e8663d
SHA256 03bcf514d4a6d7a7a2dd50ee48d71ba701932592650c7b3575044e2021ba80d1
SHA512 45dbb3de027f638d4531f2ffdb6fc814e8e0e1ef054ed83bcd30cece014a89600291fca0599a272c7e1416f4015711834d62786f8e8d1150b1098bd34e867a8c

C:\Users\Admin\AppData\Local\Temp\60748084\qer.bmp

MD5 da1ee8e4494833fe542606e175498c9c
SHA1 73621d5c202afc5ba3329ddadd16da1c599f8bce
SHA256 a84437c7e2e4c4af2489f1dad06af4d2f51a6750527aba02d607d7866f9e933f
SHA512 2e6da0a850ba38110a5a079b1d3a863f9dbcb990d48961292aaa29054a9041acb4c2b5c96f45d920fb40cc1bd15ca3ae0851d1b4f44846145bc65d1d22efc3c0

C:\Users\Admin\AppData\Local\Temp\60748084\qbh.xl

MD5 1df1287818564dbda36a6dabb94c91e7
SHA1 35774859bd567f28331af06f51730e1ac07f05dc
SHA256 362640b6162a633b9e175b9f0b47262e792396267a9c297007ddc34af2f91591
SHA512 bdd6ea0c9a985816adbac9b25abf1ad8ba68144fcd25bde63d4ebab783510819fa3c0cd62f9ac2b15fbb028bb371df8d3826ae19b29badde62bec6752eedbded

C:\Users\Admin\AppData\Local\Temp\60748084\ptu.txt

MD5 2065e5988d40b506876a001488909aec
SHA1 a3320db0b57da29f91dad29024da1a571865237b
SHA256 a2f3caabafaa8611d4c68ba51209156e5f706fb536c7c7cdbd88e90b822424b8
SHA512 3ef70ce2640422e7ea63b828d0c192880f986be5f43285063c0958fa7f37d21584629f049f3178c954b4d3b1c0b20343b1304eab721d103f48dd6a4d417344ee

C:\Users\Admin\AppData\Local\Temp\60748084\prj.pdf

MD5 b18f85a41fa08ffc88fd2d20ec9d2a5a
SHA1 320002f029886d5701c10f14af0160584ff459b1
SHA256 1a52148bb7e8483aa4e84212f6732519d3dd1619283d7b964f309df5e10ff2d3
SHA512 a74539a1b4abab2ff556b4d41275c7189997edc7e87a70e5a6fc19adee75f00dcc82ec322aa63f8d09ef26f23b4117a685e93229d6047a124235e512d5ec14b0

C:\Users\Admin\AppData\Local\Temp\60748084\poa.xl

MD5 d5763c03626fbb20e26d8a70d14b184f
SHA1 a587f64c7694cf1371827983004b7af99610e872
SHA256 d0a3f735b11a10444a7d238a75a63e0200983a9841237e0288689a8b4e00acb5
SHA512 1b0ce0290e25dd9ba42e84213462fd95171112039e73116ae7af31afbc86dc2dbabbbc5ee4c1bcc38ca114075b7be1c705f72a7509664240b0bdf43e5e164763

C:\Users\Admin\AppData\Local\Temp\60748084\olj.icm

MD5 f8962052a9be8710067e42b7dd37c27c
SHA1 92b2964996916aa4fddc4ced4166d7baf2a380d4
SHA256 bfb9f527d23e3eeb0b58b4cc2bb3b554727fbb3391ea77446f6410979aa9cd1f
SHA512 b9962d75d7bb607b5270362014cc13c46add08b7cf8b13d507f1426e7cd99ba2e4a02415d8d8ec94e0e817c2ed381013a98ed249ecc5e820fdd20e569d0ec6ce

C:\Users\Admin\AppData\Local\Temp\60748084\oin.docx

MD5 cc917430679676df4bb52cfc46519cf1
SHA1 63983d0933f13cb3b3e2e6b5640740edd3e87e3a
SHA256 44b4bded2fd7aed4b5a8eb0579ae3aefd72d5f5c677a0009cbfd7cf1478ca42e
SHA512 7d135b2e7932d004506d0c109506db6a8fd34e3d288699e7fd477019f6643b3e340085c5ff69118f6f1d6ac80aaee36748522c1155a6a8483eb989c50fb8d709

C:\Users\Admin\AppData\Local\Temp\60748084\nst.xl

MD5 553e3877bbe30e45e4c672b7089f44da
SHA1 58d17a6bf383c674674fad485beb14b6719e9e01
SHA256 371bbd014dc8732c87929b8dce14a832136f83f765661dd6b183d058dffeb52b
SHA512 0df093c204c0c1379cef0ce8847c3201f3cb6617c37818f11f86cb4941f1d57184ff5eac832877aff044d795d98a9d3736dfbfc3fba156b9dcd492808a7a5132

C:\Users\Admin\AppData\Local\Temp\60748084\nmk.pdf

MD5 e7698f958f9c7766bc0298d69d2eaa86
SHA1 c09c27b0701dc0f477e917f7c7595f3de1ebbf2b
SHA256 8efd7385665e26ee0e93564ecf975a74f2c319ac9ea67411d894e965d9809599
SHA512 973a28e8531f6beeeb9a11bc81933f05e385a965ed98292fd9341d6528f182dcd52385f4b72d8f4e7b2ae2c202154ff2346a2baf89e8c5ddbf4fcfb7d447a712

C:\Users\Admin\AppData\Local\Temp\60748084\mqi.ico

MD5 f17755adc1bd60e072002500e9f2da3f
SHA1 572d141a1013862ed9e3b0e088a1cfd49f81379f
SHA256 2e16b21d2c56a63c3a2091ee9d5e8d27a4af4da54fbe7ae5b87e2cb2cf6e591d
SHA512 347c50a35e991e962f09d8d69589e1d920136ca683b7e5d7d22e2e05a79370db65dc8c6e35d8e3965e9be75efa86968770a0af7fba8efe55c9dacca0a1fe010b

C:\Users\Admin\AppData\Local\Temp\60748084\ZAKZR

MD5 2119ba402290f6647533f887df75ede1
SHA1 f08072e37a05758c82184cdea2d9644241c5990f
SHA256 fa6d5ee9d2f03c43af730b9bb60eeaae88e4b5c7abfebb9190dbc2c9aa13f59e
SHA512 bde4ec9bdc4429747df1cf4cd30c33986c7b92cb24f51497886326c590f1cfbd9906c9770dbe0c36408355e29259be6a34bc2504d135af3931fc95ee695d4c50