Analysis Overview
SHA256
5a47d09740e522442aabc10feac3bff2c724320ea6c648467201fa7356a16154
Threat Level: Known bad
The file eb24d7680fdb1b173363177482064b5c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Executes dropped EXE
Loads dropped DLL
Deletes itself
Uses the VBS compiler for execution
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 13:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 13:10
Reported
2024-04-10 13:13
Platform
win7-20240221-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\da28qp1u.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4599.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4588.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/3024-0-0x0000000074D10000-0x00000000752BB000-memory.dmp
memory/3024-1-0x0000000074D10000-0x00000000752BB000-memory.dmp
memory/3024-2-0x00000000009A0000-0x00000000009E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\da28qp1u.cmdline
| MD5 | 896515befc7c73855bcdb1b13adecb8c |
| SHA1 | 99388d5fe2145836ca04618d4bacfdd7a39320c3 |
| SHA256 | 5162a98df4b0a29da5d921c2ef4e2feb2937132f552a8a529bf368ac050a0b55 |
| SHA512 | 6ac16a818d281174cc90aa8da9084e514b476d4fb5142996374f5615e61a92f59039e6a0e171097a11a6723f294987de6194c412d3372f6c614a4246bb66b61a |
memory/2252-8-0x00000000003A0000-0x00000000003E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\da28qp1u.0.vb
| MD5 | 5b40c37cfb51ebb1a08c18113e5ac7ce |
| SHA1 | 78a88a25b72642ba90a612660c6818fbb8b67e0f |
| SHA256 | c9ba6739eba99dd79671917fc8b1e14da73d7ae940331f364e07a9a82e24b4f0 |
| SHA512 | 29a87059377e7fffb98f95f9798c7bab6c82962ab38bf0ce25e4e7e5f6b146ccf44ee7b475befcaf1daba568c19255dfbd4bcd15b41080ad075ae5152ad309ff |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbc4588.tmp
| MD5 | 9e0ad11c9bb3c891380fdab6ce486db6 |
| SHA1 | 2e205b252f25dc0abfb7ee1ea565dfdba4a447ca |
| SHA256 | c538c431d945497f46fd4261fef40dc205496637ba2aa6aae5176119e58d2717 |
| SHA512 | 57eb563e52d1732235d3f15ffc25345738c4f30a5d63b9db643a70fde495750f6a711c0e1936d6c4c89a0169d27bc3e701a13525d6ee525da6824f3b265817b5 |
C:\Users\Admin\AppData\Local\Temp\RES4599.tmp
| MD5 | ddb964330eabe0a1f47759c65639e9dc |
| SHA1 | 8444c3b17182055c9a99a0f3a47408b778cf7517 |
| SHA256 | e6c0b8a30554b59793a020860ad2bae08e8da652a3468550612d7e68c30c99cc |
| SHA512 | ac8a019365d59449299cf259d84460af453f71ae1d099a812917106c9d3cd07aef3602b0017f37b7a9e103e7ec89c3617dac063d067499ec20a57f5e54aa19be |
C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe
| MD5 | 2d490ea21a9821ddd828a6b203e2ab58 |
| SHA1 | d94a9e7d7db7123672c50f8a7476204d536107e5 |
| SHA256 | 91bdddb69a03f70a91bc4c6c2ee657dccea152e21d23ad31d7539227218d2524 |
| SHA512 | ddb4467e45de9246f0b5ea2c9eb5e184c3334a2305af4dd0a19a48b94e27fffa0f4911db9acbe2b5d2b3a1a046468bf8d3df89227379e7874eb1c2eba5b4351c |
memory/3024-23-0x0000000074D10000-0x00000000752BB000-memory.dmp
memory/2644-24-0x0000000074D10000-0x00000000752BB000-memory.dmp
memory/2644-25-0x0000000001E50000-0x0000000001E90000-memory.dmp
memory/2644-26-0x0000000074D10000-0x00000000752BB000-memory.dmp
memory/2644-28-0x0000000001E50000-0x0000000001E90000-memory.dmp
memory/2644-29-0x0000000074D10000-0x00000000752BB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 13:10
Reported
2024-04-10 13:13
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
158s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mzitjs0p.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8760.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50E2258866E54145AE6B45A715A9471A.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/4756-0-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/4756-1-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/4756-2-0x0000000000D30000-0x0000000000D40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mzitjs0p.cmdline
| MD5 | 79bca7cbc155deebbc99b5a9637b2e96 |
| SHA1 | b92a664d5371d596ee893a09cec580b2dd06b923 |
| SHA256 | 0233e01021c81954dd2e65997f1ac4c4d69eac696be8d3306ca17abcf6900c6d |
| SHA512 | 84da4b6d4dd52434d8eb2c814cfc0e2fbe67452539a5ec6de0991e0fc364ca6d64669281f92a41ef9bbee12a7bfd4f2b2cb7c508464a4968fee132062c2c3644 |
memory/1368-8-0x00000000022F0000-0x0000000002300000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mzitjs0p.0.vb
| MD5 | 7543e813a7444dcd7783329e91021d82 |
| SHA1 | be077e6ea465bdf75f5dd65ea118ddf31fffdc57 |
| SHA256 | 82bb0e2a0b88d000601082c1aa2776cc5bf183207fd5c1b94c55cd064ccaac5f |
| SHA512 | f5d7f9f14f1c7729f9fa2a8a56be2953ec0e2aa4ef5a3d936645f4fa6fcc832eae7f825d0305061946eb55561c479c386dff548a754d9ff7ebddad343ee81981 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbc50E2258866E54145AE6B45A715A9471A.TMP
| MD5 | f8560a2b0f15fa991b1db9a6b05107cc |
| SHA1 | 539c9a1fc4cfa9b20b486103cf00e8cd030f4207 |
| SHA256 | bbaedd7a1ae71d1317bf34c898225043288332f25d418d2f071dc983b40fdd60 |
| SHA512 | 2f0f3306e387088b831f9ebcc4ab9bfe583515d87442dba338da6948462c5047f17e3dfda2148e5fa5ed80bfc4df0493b1e94d15ec4af81a1b6643139bc0ae2e |
C:\Users\Admin\AppData\Local\Temp\RES8760.tmp
| MD5 | 6df90ff56aeeb1b05c5c5ac6f1874fc1 |
| SHA1 | 9c14ea1f9778e583ab9be2ad5d3acfd3d02a85d7 |
| SHA256 | 7a22d58d4303a179efd5397a3908d8584c6e1f5fba8d5f94c1682431fe14df24 |
| SHA512 | ce7781b8fc22c8c3272c4e244911265e8c49caf39d610755d90a8bbbb445b98da86b0e16d49f2bf7f03b2f28029de283347e003f02061fb808995d684797a027 |
C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe
| MD5 | a32172b046fd45804cc66e610d19d788 |
| SHA1 | a5c2bde7920d55c5a6b45014b2a3cec0ef0ee65e |
| SHA256 | 92623416dd1d6f617730f34204c595b43608b9c327a520ef1137f06043021544 |
| SHA512 | 16f60dde3c5cca44cf5a4098e22c06ac7f65524d62520f470f9e4bb4a12ee24c5abf1dea9815811a3710d0ee8e5964030b1a05c49f132afacd1c7b05a6e943b7 |
memory/4756-21-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/860-22-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/860-23-0x0000000000DF0000-0x0000000000E00000-memory.dmp
memory/860-24-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/860-26-0x0000000000DF0000-0x0000000000E00000-memory.dmp
memory/860-27-0x0000000074970000-0x0000000074F21000-memory.dmp
memory/860-28-0x0000000000DF0000-0x0000000000E00000-memory.dmp
memory/860-29-0x0000000000DF0000-0x0000000000E00000-memory.dmp