Analysis Overview
SHA256
b01a9945d1ac0c4fcb81680837b580e07b56f830bbf61d5c1ca071f8618a3f5a
Threat Level: Known bad
The file ece603c81456294d88e05e0c42f81e51_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Checks computer location settings
Executes dropped EXE
Uses the VBS compiler for execution
Loads dropped DLL
Deletes itself
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 07:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 07:34
Reported
2024-04-11 07:37
Platform
win7-20240215-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7m_a_az7.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1112.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1111.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | tcp |
Files
memory/2316-0-0x00000000742E0000-0x000000007488B000-memory.dmp
memory/2316-1-0x0000000000150000-0x0000000000190000-memory.dmp
memory/2316-2-0x00000000742E0000-0x000000007488B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7m_a_az7.cmdline
| MD5 | 8e6dd8f164c62464647f1f1c20d8c6ad |
| SHA1 | fbc654481bc79d3630fbbc4f5e7fad4d15510acc |
| SHA256 | 1e4598effc92ff14be4455185925ba048e80b0af02a098cab28066ae36b7edc2 |
| SHA512 | 5d36035fb05a02252ab532b0179bdc3307990cef46b5046ef9f3022aba195812cf4b5d320b23df21c73ae14095ecaa1f70227a7137d8cdf9249a36b3efb55caa |
C:\Users\Admin\AppData\Local\Temp\7m_a_az7.0.vb
| MD5 | bc6dac9026e3e891df386536f018a652 |
| SHA1 | 88e69709ca10992d168084ac372d50e20c029091 |
| SHA256 | e80163f5707a60ba8802946830dbefea73cc7117cda2bae1d4cd3dd0b6dadc25 |
| SHA512 | f53b5dcf521336cbab76568678cc23b13cfaac92de77ad2007fb79cc21c2da7208dfdc67d7a6cf680027d924135a17e5b11042c9e702702a0392c578bacf76f8 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbc1111.tmp
| MD5 | 0012eb1cade60971198c19845856ad20 |
| SHA1 | 785b28775c982a0990ac693879bfc9a66b11f8a7 |
| SHA256 | 9465cc8b54e005cc53514743896cf551373896684a243d9d929614fc6e153285 |
| SHA512 | 887fd9bb4b712588b34d85a65d7a3913f7d63c23d9cc4e4dfd6c544aa88c9a570860b97ec1bc88a169b02aba06180ea25c27b0a707a0207722abe28b6cec9ca0 |
C:\Users\Admin\AppData\Local\Temp\RES1112.tmp
| MD5 | 9afacb8ffb1936e1316bcc3e78d03931 |
| SHA1 | 2d130fe4ed8266860a053d2e3752aa3b90bfcd9f |
| SHA256 | 11f206f0e5ec7dca3a77a327b52881eaf2f239debca60b40e4ba386b1d94354b |
| SHA512 | 04fc12857a46e4f08ed6a9e3ccbd0e5f309ae2ae08d38d9583c985215620a781c8f000b3a2587ff61b4e880a423e2238519fb9d559eac19d3547d9181b704dd8 |
C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe
| MD5 | cdf9fc336a87e5b0baa9df1c144e7242 |
| SHA1 | 2ad666856d3f230d5f64da1f37aa86d6965461b0 |
| SHA256 | 6ee647040c2d7d39c0df192cd4cc79d733ea02f68e62c3a52f63e8c67d1f17e9 |
| SHA512 | 8e482225e52b75fddbff856d18654c58e91cd9289400c5aa09408d9c62d1476203b2dd2d6d45465e72ba022c8d4813e5c4666d2eaae27e46536e01ed4cebbeb5 |
memory/2676-23-0x00000000742E0000-0x000000007488B000-memory.dmp
memory/2316-22-0x00000000742E0000-0x000000007488B000-memory.dmp
memory/2676-24-0x0000000000EA0000-0x0000000000EE0000-memory.dmp
memory/2676-25-0x00000000742E0000-0x000000007488B000-memory.dmp
memory/2676-27-0x0000000000EA0000-0x0000000000EE0000-memory.dmp
memory/2676-28-0x00000000742E0000-0x000000007488B000-memory.dmp
memory/2676-29-0x0000000000EA0000-0x0000000000EE0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 07:34
Reported
2024-04-11 07:37
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kixbg8iu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA19790BF76044A82965D41AABA11A33F.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/4752-0-0x0000000074AF0000-0x00000000750A1000-memory.dmp
memory/4752-1-0x0000000001770000-0x0000000001780000-memory.dmp
memory/4752-2-0x0000000074AF0000-0x00000000750A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kixbg8iu.cmdline
| MD5 | 014c5784dda013648ece660e005651da |
| SHA1 | 1b6f490b744132b100e5ffd61adb557bd5abf84c |
| SHA256 | ab2b6fe10654e15b66419fe6e9c91418a9d16533d08a9c54726ce95ebb12a4ad |
| SHA512 | fadb17d4237a00c8442c64e2dd7eb6c32d8e51ef831abc3df1d73c53c91b5f3ee2003296c4812099a686c186ed3dec4421530cb83cf6f42c83533ffcdab54808 |
memory/4100-8-0x0000000002430000-0x0000000002440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kixbg8iu.0.vb
| MD5 | e13f2f90275faa66616141708ebe6049 |
| SHA1 | 332dee9ae453d9a367026a007c1c9577ff4ffbbe |
| SHA256 | fd06903a459be31012fef4debe611ef56425c0eaa76c49f38ca95babfbaf9948 |
| SHA512 | 3a34b87cf06e1fa9a6439aae98f492a3ec95f0cc258a69238844e004b1ec8237645b4a13cb79df05cd672c145db6116c2dab9d4cb9532ca2033d999aa16d90e7 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbcA19790BF76044A82965D41AABA11A33F.TMP
| MD5 | f6faaf7fdb38f8d031a212c1bc11337d |
| SHA1 | c84b96a14f45d21b1c1a0728d2b417dcf10ff0fc |
| SHA256 | a6c82131bbe4f1bf510c82e7c8adcbbb2451c9a9661a71522c9eaaa41cd8438d |
| SHA512 | 9fcb6d8d48a900a8f40eba5df34cc306218e08f87df9fb33be5a26d01805d100e71c0447d9aeb01713c3498c54c95f428f7a93bc8283cc4586b2d6075a5e44e5 |
C:\Users\Admin\AppData\Local\Temp\RES3E22.tmp
| MD5 | 1727472890186d3f9f92b6da9e118990 |
| SHA1 | 0417c9af5cf0122d5eacaba335c89e0614c6ddb1 |
| SHA256 | 6f609cd7c47bb80a011acf95c109990eff4afa6b001bf4861d9334f32488b5dd |
| SHA512 | 7e3111536cfd606a91634121b906d7cfb96ea41e50418c6cd74bb40af9728ae949d9e4df879747abe119fa3bf66c085c34b93911d993c7844f2390c8ea39af5b |
C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe
| MD5 | 2e9d455342935463d2a98db8bcaac0a1 |
| SHA1 | c5321b34807d008573f8969e9c9656ad729129c5 |
| SHA256 | eddf749a115e85869f0b4e7326f267f6f3b0a1222eb68666f2b4615a07e2b66f |
| SHA512 | 04cfba40d5af9fb1b014d59fca7a03661a6b0c10ea22ad2e72b5e65eb1b6477a304a11f70e3fff8171bf5edc1dcc1c57ac644bbe346739d8b11964eeb74db41b |
memory/4752-21-0x0000000074AF0000-0x00000000750A1000-memory.dmp
memory/4608-23-0x0000000001470000-0x0000000001480000-memory.dmp
memory/4608-22-0x0000000074AF0000-0x00000000750A1000-memory.dmp
memory/4608-24-0x0000000074AF0000-0x00000000750A1000-memory.dmp
memory/4608-26-0x0000000001470000-0x0000000001480000-memory.dmp
memory/4608-27-0x0000000074AF0000-0x00000000750A1000-memory.dmp
memory/4608-28-0x0000000001470000-0x0000000001480000-memory.dmp