Analysis Overview
SHA256
0e827590379d5651f1e81767b06da5a82a1366a04867acdb41f83dd5394e1bb6
Threat Level: Known bad
The file ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Checks computer location settings
Uses the VBS compiler for execution
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 21:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 21:36
Reported
2024-04-10 21:38
Platform
win7-20240319-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lpuixvrk.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4136.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4135.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/2512-0-0x0000000074590000-0x0000000074B3B000-memory.dmp
memory/2512-1-0x0000000074590000-0x0000000074B3B000-memory.dmp
memory/2512-2-0x0000000000BB0000-0x0000000000BF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lpuixvrk.cmdline
| MD5 | 3d46fec11f51e7133e8bf6f12baa9fdd |
| SHA1 | 1a5aca97c32323156bd300ab3f06c8c4d56f2d8d |
| SHA256 | e5fc6203afdb3a5c2f2b6618b3822724c412f1b873d79757d99c81298f02f902 |
| SHA512 | f73a517ea9f50f0399c1141eea1647d83232a123bc3152cf568db4dfe1ce1f26a0d8380d0627bec67749d51dde8189eac33f85eadbd023e5840de5f2e5fd0dae |
C:\Users\Admin\AppData\Local\Temp\lpuixvrk.0.vb
| MD5 | 02b6a3f981adfa04d42c0e234ea2d4d2 |
| SHA1 | 6bae686efac8b8dbe6e48d36a3e9b0a45cae6e11 |
| SHA256 | d1fb5eb2b7257809973188ea1125d90ea27ea2da9ab238197e95cd6f1f195092 |
| SHA512 | 166066712f8b2006dfcac3347afd7884032e9fd2057646a037e3a717b89b5b5f32d2eb9a7d59389ece303e9c5e0850dda7686cda9c4d0677a627690a9e7f4577 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbc4135.tmp
| MD5 | 96885a8c6708bd82185914f206acec48 |
| SHA1 | abd9d523a36480d378e7a5f63330898240f81197 |
| SHA256 | b7fe408f8ae306d3fc8be53da3cbd8a6310c72c41eca2d890e376092bea91685 |
| SHA512 | c503ef6d5f679a8eed6c4e814fbb09010f08c64e77952c164ca735f8fb71a137c6e8878471407f84bffa6d5af73b1a97d83075ada34d8249cfe25ed312eaba6f |
C:\Users\Admin\AppData\Local\Temp\RES4136.tmp
| MD5 | 7a2cdb54da3a6f48858d09ec26843dcd |
| SHA1 | 5a9326d85bbbc03074676cb99272269670a5ab63 |
| SHA256 | 69067afe68f8cc50f1cb2bd36dfa8ebe435e2db0044a902c5651f3fab761a42b |
| SHA512 | 1548e90db09cfdda663896fbc64784206a9ca3e0a7cd54be8f8763e361d45dd17abe26de64a5b0815f5097c1dd6584866d7b089e1d7f6bdea8c3f1c9f7b6141c |
C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe
| MD5 | 8d7ca5545bbf7e28854de8702430dce7 |
| SHA1 | 85c93ce0b57731a5ca50e97666977c35d78fc46b |
| SHA256 | 48323cd633deb871659553f77d7003b2e1ccbbee1ff232316892e9d1c4ea6ce5 |
| SHA512 | f95d698dfcc309be666b38e33d3286af982bda36284b061d4bb3bd113cfb290b433cf60852ba6b71819e6f054486a62b3fa9772c7bf94242cb095032d48e7ae0 |
memory/2512-22-0x0000000074590000-0x0000000074B3B000-memory.dmp
memory/2564-23-0x0000000074590000-0x0000000074B3B000-memory.dmp
memory/2564-24-0x0000000002110000-0x0000000002150000-memory.dmp
memory/2564-25-0x0000000074590000-0x0000000074B3B000-memory.dmp
memory/2564-27-0x0000000002110000-0x0000000002150000-memory.dmp
memory/2564-28-0x0000000002110000-0x0000000002150000-memory.dmp
memory/2564-29-0x0000000074590000-0x0000000074B3B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 21:36
Reported
2024-04-10 21:38
Platform
win10v2004-20231215-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp544A.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp544A.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp544A.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uhylnsmg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5544.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBEC5197BC8A40379ABCFF6291D368.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp544A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp544A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 219.203.100.95.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/1180-0-0x0000000075130000-0x00000000756E1000-memory.dmp
memory/1180-1-0x0000000075130000-0x00000000756E1000-memory.dmp
memory/1180-2-0x0000000000780000-0x0000000000790000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uhylnsmg.cmdline
| MD5 | fcdb1c81906e6ff3778d1491bed76dbe |
| SHA1 | 4b27337a342138a54f6d3f4c7d6c2f94a664d8cd |
| SHA256 | b85d633e9bcaacf31ce742160d8be05361852f837a36af6eae272626b85c32ce |
| SHA512 | 2e492c1de05de5492e73584e14a79d3d3b9414494851a242fba0eae3c5ae057fc30e82a7f593410ea23f11572e0f33a555b8eecd7126a3f72422a2d03b91bb2c |
C:\Users\Admin\AppData\Local\Temp\uhylnsmg.0.vb
| MD5 | f2eaf2a098f8f5331460e0596611b541 |
| SHA1 | 9326d346ee1c09b2035da2ee4e92beb32751b814 |
| SHA256 | 96b78815bb2abfaee0a85104e6d9382518eef941be287c8ff18c744da5f6cae4 |
| SHA512 | 6c31e063a2d46381b31948ea21201d6f19170879597709dde8579e2a01032668425f2b38fe5dbb286ed760ed965a85f1dead415d9399529ffa409653cb36032f |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbcEBEC5197BC8A40379ABCFF6291D368.TMP
| MD5 | ca7ba9fbbdb00ae617871857be0a6fce |
| SHA1 | b454481ba4617d1e25e04a81353efd0e12f602bf |
| SHA256 | 94056f6a0854a460d5b29948f8655a5e9b861cda5d969f537b50e51c2ab4c4e5 |
| SHA512 | e95df6931084563405740ac654d65781d51dfe4c532420adc590c866c69d5ddca8ab389d7464f2c97f3f2deda3a89bd61f36a9c24b5b4a882da389968bfd415c |
C:\Users\Admin\AppData\Local\Temp\RES5544.tmp
| MD5 | 8ec0e654c8fdb20a77e800196e0c763a |
| SHA1 | fc514d611ad2e793117307c20319e87f5ed8cd05 |
| SHA256 | 9930c7472d12cd74ee4d8cb1f1c294f366398f7a343ae49743cf481f57edb5b2 |
| SHA512 | 24aed4a04871e2aeaf94a227c30d6f3be39c82444b95002cae9163b4db56f5a13ea560221ac53fae32705cedb1dda48e0ffd3663f15626b2b60c164232ae3bf3 |
C:\Users\Admin\AppData\Local\Temp\tmp544A.tmp.exe
| MD5 | 2e0cd864fb2ff3d6622e013f0c701cc6 |
| SHA1 | feb7afd45bf23731157ee23da6d51561a6509ee1 |
| SHA256 | e33b70ca86d9160ef4d15cca07968151b9a8bd94756aee80ce681f212b603911 |
| SHA512 | 837643900c4ace4dd795caf5739af41794297e6623037565bff010d8f3f33bcd359bd53c55a4e5cf9fbfbc553f912bdf718d190197f26ec033283fa84d5ea387 |
memory/1048-21-0x0000000075130000-0x00000000756E1000-memory.dmp
memory/1180-20-0x0000000075130000-0x00000000756E1000-memory.dmp
memory/1048-22-0x00000000016D0000-0x00000000016E0000-memory.dmp
memory/1048-23-0x0000000075130000-0x00000000756E1000-memory.dmp
memory/1048-25-0x00000000016D0000-0x00000000016E0000-memory.dmp
memory/1048-26-0x0000000075130000-0x00000000756E1000-memory.dmp
memory/1048-27-0x00000000016D0000-0x00000000016E0000-memory.dmp
memory/1048-28-0x00000000016D0000-0x00000000016E0000-memory.dmp