Analysis Overview
SHA256
27c0d27301d0249ad037784b18fee5c087534b2ed3de81db6c038227e38deac6
Threat Level: Known bad
The file e850ed9b9eb661162257c74b4caab45d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 20:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 20:13
Reported
2024-04-08 20:16
Platform
win7-20240221-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1140.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hxqyzktd.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES120B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc120A.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp1140.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1140.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/2168-0-0x0000000074530000-0x0000000074ADB000-memory.dmp
memory/2168-1-0x0000000001F60000-0x0000000001FA0000-memory.dmp
memory/2168-2-0x0000000074530000-0x0000000074ADB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hxqyzktd.cmdline
| MD5 | 0a8147e2d20723531a000176a8445c6d |
| SHA1 | 23eba1de81833df265e3704af583457c94ef38b4 |
| SHA256 | 14ed7546826292740b8a98bc68df66cb4580104ff7f92cf7575e20654c39c998 |
| SHA512 | 01b43ef5a62a7357db533b2b89c5bf131a3693d80dd432180fef7b605a3cd21b6a0179c4032a95e9e9354e5418b78f94b5d3f9a9200f4853770c5bcb04fbd67f |
C:\Users\Admin\AppData\Local\Temp\hxqyzktd.0.vb
| MD5 | 05a14705946741aba02a140c68df18be |
| SHA1 | d2a7f8f4262226d8799e266f2e2acb6c9b99e520 |
| SHA256 | 1cff2a93812fb125bbbc5769fac17efb0507463962537a90a1f02c95f1c661b7 |
| SHA512 | b6f2c4d795d037f05ded06985b01f36662c55352096cdf443a6c64cf294038d9cfba9f55e4a113c48a6f074c89a8925bdd36d3e33fb996e74923284a984be910 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 484967ab9def8ff17dd55476ca137721 |
| SHA1 | a84012f673fe1ac9041e7827cc3de4b20a1194e2 |
| SHA256 | 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b |
| SHA512 | 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7 |
C:\Users\Admin\AppData\Local\Temp\vbc120A.tmp
| MD5 | 3c9664cc3ca7cf024188b2a7bcd4088c |
| SHA1 | 95e3922e02bb7060ac9a2acd24286267b66d183a |
| SHA256 | f4dd0d4afe96cb6b2c4926621cd867023cbce790add0ad5edbd829e1ee60e3ac |
| SHA512 | d2a3ee98cec8d5ef2215119b1a05c8d85c78ebe03dc3bcf946190bac92e12e8be2e9ca25625ccbd4467730dcb7f3762391932e4f784847ce4165f6287d9937bf |
C:\Users\Admin\AppData\Local\Temp\RES120B.tmp
| MD5 | 6b524a155cd198fc1ebd5fbc9a63699b |
| SHA1 | 193a7ec61ebc494c24ecd5486a12aeea2c385a02 |
| SHA256 | f890326ea31aaa44e996fd0be58beb0a4f1ff78df0a2dd29c74e8078c69dc109 |
| SHA512 | 090ad4d7549cf115b5773a0e9d8549f1d196cb5128eb4dacf430d801e7e36c818150c0b183c84f496e815b1a71df3b6fdad6b051fc3a4336c229cd5a5bf38e35 |
C:\Users\Admin\AppData\Local\Temp\tmp1140.tmp.exe
| MD5 | 02c8fb9826d8eedcdfae01026aba80ca |
| SHA1 | 297eae7b3dab86a4f03144840b79852b803603ef |
| SHA256 | 0124dff8d3b7f17f0bda3485b1e96192a029103d5ada2fe90f70a41972580ebf |
| SHA512 | 42e0bcd35390e799c67d45dc0d61c9b8170769f666380b62a71dfa4c86f020c98d8808909ba2ef29b1e387b83e7ea86333f1a209b865b5933b6f2427e0160765 |
memory/2168-22-0x0000000074530000-0x0000000074ADB000-memory.dmp
memory/2640-24-0x0000000000490000-0x00000000004D0000-memory.dmp
memory/2640-23-0x0000000074530000-0x0000000074ADB000-memory.dmp
memory/2640-25-0x0000000074530000-0x0000000074ADB000-memory.dmp
memory/2640-26-0x0000000000490000-0x00000000004D0000-memory.dmp
memory/2640-28-0x0000000000490000-0x00000000004D0000-memory.dmp
memory/2640-27-0x0000000074530000-0x0000000074ADB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 20:13
Reported
2024-04-08 20:16
Platform
win10v2004-20231215-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp39FC.tmp.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp39FC.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zj-hvuc2.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C6D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9032EB5D12449D6A5DB4E58AEA97CD4.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp39FC.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp39FC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e850ed9b9eb661162257c74b4caab45d_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/1452-0-0x0000000074640000-0x0000000074BF1000-memory.dmp
memory/1452-1-0x0000000000BF0000-0x0000000000C00000-memory.dmp
memory/1452-2-0x0000000074640000-0x0000000074BF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zj-hvuc2.cmdline
| MD5 | df5b979da869ef6529f513954f50d2d0 |
| SHA1 | f505568ca5713b1d9995b3982f9a5b61e6d7fcb9 |
| SHA256 | c9eeb6640774b9ffe60a67aa7f8f6c61e3004214e25c64e3d41444c706b9b994 |
| SHA512 | 67b3e489740689b47d5941e176f2b28b0982c8fd0ec1be710072c95af55ac5ee0e677d423d929b85a1abc0f8c63012d68451f66bb4ba19db19a29351247cb586 |
memory/3772-8-0x0000000002460000-0x0000000002470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zj-hvuc2.0.vb
| MD5 | 946367fdf9b50e03f5df96951c722bc9 |
| SHA1 | 0cce2527f9979d2472d51ed7fef1376501ee3ca7 |
| SHA256 | 96797968d28d8cd038ce5932429c488bce7e1384b3bc4ae792d6672792972777 |
| SHA512 | 27f563d7f7d6121d0d9a68f362e0eaf2eb73cb867d13a56ec662707c3cbede23651428752c9867931f91f8d7e1af70cd27c3a38883cf65567d9c0e166ac025d9 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 484967ab9def8ff17dd55476ca137721 |
| SHA1 | a84012f673fe1ac9041e7827cc3de4b20a1194e2 |
| SHA256 | 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b |
| SHA512 | 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7 |
C:\Users\Admin\AppData\Local\Temp\vbcF9032EB5D12449D6A5DB4E58AEA97CD4.TMP
| MD5 | 22e24211662f99a2862cdceabd564f62 |
| SHA1 | 8a248ca20bfa81f46081bb8fd5305a3422a255e9 |
| SHA256 | f064bdbd1f4f92d4197b00729d929601d247b53b3476c4ef0396dfa884c9dc16 |
| SHA512 | d2841a0657e4643a7040ae03b23a73a6a6521c04058336db124089f9bd12c9520fdc5752c8a972043298376e9e7db44ce3518a4eca690402d10c86af5730f0aa |
C:\Users\Admin\AppData\Local\Temp\RES3C6D.tmp
| MD5 | 420cb7c1cc525c9cb421f5d06076d29e |
| SHA1 | 80633ee795e9590376857355dc2bdca112212514 |
| SHA256 | 6cad504b81524c7e9078f626870551b64f6b63e873bbb9635966f1ff556c1233 |
| SHA512 | c60e541dbe051b6a576c7328992036f4435436c78e7c0d32a19d99ca244ae085e1d3025b72d6fb7e8c68fbe69a823b9e1dcf1fc0d69d070db1b01a0f8776ac37 |
C:\Users\Admin\AppData\Local\Temp\tmp39FC.tmp.exe
| MD5 | e41de2d210f550f3cbf4e776e70b6f58 |
| SHA1 | 2280d1bcd97e8005d93048d965fed54f4aa0d643 |
| SHA256 | 5559a99255010c0ff9bd0ec11dda52e5dbaf27cbfad24521ae9869c55b895a5f |
| SHA512 | e1bb0924ef381b16db533b5fac8ee50727829ab61e33a0c2803866ce51f7747c224285788d7ae36c5f56abc90db96f87053f91aa0adde3ef96fd5c71edda2794 |
memory/4544-23-0x0000000074640000-0x0000000074BF1000-memory.dmp
memory/1452-22-0x0000000074640000-0x0000000074BF1000-memory.dmp
memory/4544-21-0x0000000074640000-0x0000000074BF1000-memory.dmp
memory/4544-24-0x0000000001300000-0x0000000001310000-memory.dmp
memory/4544-25-0x0000000074640000-0x0000000074BF1000-memory.dmp
memory/4544-26-0x0000000001300000-0x0000000001310000-memory.dmp