Analysis Overview
SHA256
2dd6866d0f01e4edc66e827b7b010aa29300c220779722ffdbedd2eb3a64400c
Threat Level: Known bad
The file ec6928530f59c9665688835cc5756c1a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Loads dropped DLL
Executes dropped EXE
Uses the VBS compiler for execution
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 01:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 01:40
Reported
2024-04-11 01:43
Platform
win7-20240319-en
Max time kernel
155s
Max time network
158s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l5xonoua.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7734.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7723.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/1968-0-0x00000000741E0000-0x000000007478B000-memory.dmp
memory/1968-1-0x00000000741E0000-0x000000007478B000-memory.dmp
memory/1968-2-0x0000000002370000-0x00000000023B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\l5xonoua.cmdline
| MD5 | 300125018862e2e92369bd6cca8e3d3a |
| SHA1 | abdfeeb537ff4549b875cc753797beecd3359f8c |
| SHA256 | 41d0a297bce0f06472f7605224a742487f3d0db2e1af1d00502a8868650338a1 |
| SHA512 | f6e6fb50e696341636c37902bafcdf81a75b0a9dca51ea17701028c163dc2d13357babb827003b9510aafab884508ec4b530779682bcb921a183acc244b83d2c |
C:\Users\Admin\AppData\Local\Temp\l5xonoua.0.vb
| MD5 | 66cf0f6310e8d1db93691e6780d442dd |
| SHA1 | d71b73a5392258d6b436e788943a4416adbc5692 |
| SHA256 | f58be8de86a95935a809dc47a2cc172d6be4e9c30b0f8b69c2757a5ed51ded51 |
| SHA512 | 4eb80b702127f3d15286aed8ae62ad7f994ae7eec552f0215f4c0429406a13a271c4f6a0c1cb3d69ae38c1e3fd5daa0275c3ce167cb3eb51a60daecaa1831622 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbc7723.tmp
| MD5 | 3e9ebb367f9d9c890116d3f09ddd48be |
| SHA1 | 8e258461d60b018ecd5e1f1cd7004c0ba9905295 |
| SHA256 | 1ddeb103afa7964848b1d32921dcb77f4bbc19af8354bc3b7f26772c4526cbcf |
| SHA512 | 88ea20587894addffff732419004e5449cde1abc925f7a603d0ced6189e7d1a1cd38917b303ea82bfaa4b7d7b41acd2fee7d8ff6137a346f2a238482ead591a5 |
C:\Users\Admin\AppData\Local\Temp\RES7734.tmp
| MD5 | 9c6405f69a51b533f1a6e2c70caff7b3 |
| SHA1 | 8d4645a692246dc713529b6eaff0fde83fa51ff3 |
| SHA256 | 7f8aacd9118a07cdb3a4b0e902ca83662e78c4632dd0b0017ee72903b028ea15 |
| SHA512 | 59dea50bd9aee34b160b63080c26e44f8430d3c2ecf4e4b58ccabe0f01f1a9da8105d3de8be02e5afa65032f64b38297d2524535408312af19cf7af06923afe9 |
C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe
| MD5 | f20ce876b4a43570b2c67aa0dfdaaa0a |
| SHA1 | b6f6b34e7f90a2e7ebd6d1f652ccfcaf29634c8f |
| SHA256 | 37addfb740939d12eb6400b15855442e32d5e19b0ca046a637f9bb4e130eea2e |
| SHA512 | 499e8fc1713c93a617c34ade8b31cebe9101a4e97f734b6324f5b901de4f20a16da0516e2b61e4730206d609a85e91a6c66d76dadca8c39a7b98cbc12485a000 |
memory/2892-22-0x00000000741E0000-0x000000007478B000-memory.dmp
memory/1968-23-0x00000000741E0000-0x000000007478B000-memory.dmp
memory/2892-24-0x00000000004A0000-0x00000000004E0000-memory.dmp
memory/2892-25-0x00000000741E0000-0x000000007478B000-memory.dmp
memory/2892-27-0x00000000004A0000-0x00000000004E0000-memory.dmp
memory/2892-28-0x00000000741E0000-0x000000007478B000-memory.dmp
memory/2892-29-0x00000000741E0000-0x000000007478B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 01:40
Reported
2024-04-11 01:43
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp82FB.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp82FB.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp82FB.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ai1asdzd.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8472.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA45F7123AF3A4641A6D48D74FBDCF6D.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp82FB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp82FB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | tcp | |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/3996-0-0x0000000074B30000-0x00000000750E1000-memory.dmp
memory/3996-1-0x0000000074B30000-0x00000000750E1000-memory.dmp
memory/3996-2-0x0000000001540000-0x0000000001550000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ai1asdzd.cmdline
| MD5 | 6503818c55c297800cff8f5e056ea106 |
| SHA1 | 1aed37991b783592643cf425dc7ddbc0d82872c5 |
| SHA256 | 129e348697c8b5ea9025bb1b652cea7b4b251f048d1eb97e690ad55581be959b |
| SHA512 | 8ab57229bc8141a778457da763f85a86745ccca5a3caf71d04d7b6c167b1facb353a84e1334ec60f4dee742ca81ed65bd0e77c5c43bb0a7fa0751cfd5fa52508 |
memory/4900-8-0x00000000024D0000-0x00000000024E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ai1asdzd.0.vb
| MD5 | 70ea843bbb76ad05db2fdde08371cce0 |
| SHA1 | 5f85fdd56aca7be1bf03bac63f010d8ae3fb34ee |
| SHA256 | 31f9499226bb318c513f00556f2abdae44cb8e2793b71febe355c065153a9eb5 |
| SHA512 | 28d6218a30a53c25d89f740e27c3b42e025e0cbf6dfaf378a34ea6e4be964658b0676b66c48f9c1fc8ef06023e39c05f7e864f38ab760e4ae69e80504db10795 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbcA45F7123AF3A4641A6D48D74FBDCF6D.TMP
| MD5 | 19a8e6f1d2ea478dbdb7ca09998369a3 |
| SHA1 | f463feee80fcce75908354b62831b5e9819c2859 |
| SHA256 | ace9024998bdce58d39ec7feccedf931278465cdb94cf5ac9e55309542bec7bf |
| SHA512 | 4dda7143ac91a2ae12c6597fb25d932c10d634092a63535c52e2d4eee5ec3b10fe28903c78be162a2798c09ec50ff436a5814adb8e681c5cfa24b1de13a20d05 |
C:\Users\Admin\AppData\Local\Temp\RES8472.tmp
| MD5 | d10284553d592d41145a69d655d31df7 |
| SHA1 | eba36c8952ca5b49ea95a48c544fec3bf94d394b |
| SHA256 | 52b8cbeae91143c8ddaeafd9475448fb957c93c83a140816d610e567114d71e6 |
| SHA512 | 986d507b1bc1f1517486d3483ac201b64e196c00aa91059b654f59c134f1427f6b07667c688adfde5477b4bd9c0d49805cef1df0a6f3f20fcd392e7a5e6c6fcd |
C:\Users\Admin\AppData\Local\Temp\tmp82FB.tmp.exe
| MD5 | 4473d6e545de3e032f73d3bb65148880 |
| SHA1 | f8d85dfba23370c219d1a44cc49d35d04d88d510 |
| SHA256 | 55ba3559e60f9136382767787fbbfb0a8638e5bd3a7f964dda893e7c0d01f434 |
| SHA512 | db6a33349dc6c1a524be5ca46f9261060be4270f16f4ad4109662357d316d787ada39fd3dabc598e55986e0815846a9f51ec2a1a55a21641d8a0f587b3421552 |
memory/3996-21-0x0000000074B30000-0x00000000750E1000-memory.dmp
memory/208-22-0x0000000074B30000-0x00000000750E1000-memory.dmp
memory/208-23-0x0000000001410000-0x0000000001420000-memory.dmp
memory/208-24-0x0000000074B30000-0x00000000750E1000-memory.dmp
memory/208-26-0x0000000001410000-0x0000000001420000-memory.dmp
memory/208-27-0x0000000074B30000-0x00000000750E1000-memory.dmp
memory/208-28-0x0000000001410000-0x0000000001420000-memory.dmp
memory/208-29-0x0000000001410000-0x0000000001420000-memory.dmp