Analysis Overview
SHA256
5720a52a2a373a244245f2791768c51f97f4fb5b263e30beb41713070b1b95d9
Threat Level: Known bad
The file ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 19:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 19:52
Reported
2024-04-11 19:55
Platform
win7-20240221-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xzf2on0g.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C3F.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/2872-0-0x0000000074470000-0x0000000074A1B000-memory.dmp
memory/2872-1-0x0000000074470000-0x0000000074A1B000-memory.dmp
memory/2872-2-0x0000000000C70000-0x0000000000CB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xzf2on0g.cmdline
| MD5 | df46cd1e75861e5533b612cae21caef5 |
| SHA1 | eb8c30edbe2cc7b61721ef1ffd4dff65da7e67fe |
| SHA256 | 792ea040857195885dc784bcfce2b94bfc645a004d109260a57a21b5b126a5ee |
| SHA512 | 079442fe320ed53fe93b8c6921f59cb1bea78a797b34349b7761b973aeeb1671becb6891562ecc208a668d76bdd91094eb8356b568446fa3dbfbf94acd59ff43 |
memory/2844-8-0x0000000001FB0000-0x0000000001FF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xzf2on0g.0.vb
| MD5 | ee404e6ca88f0cdf097e7e4a2373e959 |
| SHA1 | e34b7d5658b3875733b927e01886c764074745b8 |
| SHA256 | 5f6eafe36902724d370048e5c8b878f8b3f20319ce854b1c49220da97d3a1465 |
| SHA512 | de69ec49f295bcaa3ef46fdfe7d75a433883b58b912708cd0c43ed123403207516b0731507e8515c1e9db6be2f07279421568114a8762be79f5b02a57367ce86 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbc9C3F.tmp
| MD5 | 546a4f83140239591d569c20f4e5b746 |
| SHA1 | 67ed9d1401e7e5b056236196770b2419810e2029 |
| SHA256 | e3ba429cc36a271592180699a8704ea28f01a228cfb31b2171cfd912fc0bae70 |
| SHA512 | 13261c7f78ea4c2369b22cf053abde0471c55250be44a6c8ed1f1f28ca9f1c156bae9ae9ec7ff517d87143bdae7b7c43fb2ff977aa6ad2eadb583a61903e6444 |
C:\Users\Admin\AppData\Local\Temp\RES9C40.tmp
| MD5 | 95ea9ea48100836a726fb3ce032e706f |
| SHA1 | 628d41f4f8d7dc2bce50da0c3a4918b4705eeb0e |
| SHA256 | 4aac66cee2d20bd5e683884d4dbb6f024ab482060b20c3e5c37346dae31e247d |
| SHA512 | e79f861d2cea9ec6abc8fa8d4c9ddb1c1a391a310c8cbc485ac3d234fcd5757046d4af119cba3e2ce1386b1c8b4363b84eb4d1c690d7ce1e392a23b54b711050 |
C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe
| MD5 | c5a8788d40aab859e32c7cdb592b9aaa |
| SHA1 | a452049f278b003d8a642f13b87c8d5cdc29a343 |
| SHA256 | 1329d9981a4e98b0c22efe181c1991c9b06a9b36eefb212368bc5ca8bf988cc3 |
| SHA512 | 458ca98a2a31a235244615af6c273b2390db31b3eac9135453a985a73bdfda7b6ebc2f9327949579b53cbaf24032f106d59ecf23e18c5513962e753909ad111f |
memory/2576-23-0x0000000074470000-0x0000000074A1B000-memory.dmp
memory/2872-25-0x0000000074470000-0x0000000074A1B000-memory.dmp
memory/2576-24-0x0000000000A00000-0x0000000000A40000-memory.dmp
memory/2576-26-0x0000000074470000-0x0000000074A1B000-memory.dmp
memory/2576-28-0x0000000000A00000-0x0000000000A40000-memory.dmp
memory/2576-29-0x0000000074470000-0x0000000074A1B000-memory.dmp
memory/2576-30-0x0000000074470000-0x0000000074A1B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 19:52
Reported
2024-04-11 19:55
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zkxloggf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5091.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA78FCC11B41415DA232AA7D56FE67F6.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/2380-0-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/2380-1-0x0000000001B50000-0x0000000001B60000-memory.dmp
memory/2380-2-0x0000000074DD0000-0x0000000075381000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zkxloggf.cmdline
| MD5 | 8a3764d9f69b9cf35bd3c001c72a7023 |
| SHA1 | e32f6134b5e5fc0fbe7a38412f6e102e4029b75a |
| SHA256 | e108b2aa9b88b9287b47998d4198bf7aa073cbb686a12dba06d849b316777a30 |
| SHA512 | 1fcfb8022abc1382819847499a3319896f9b7480dd59883a4765d920a87ea6beed0accc9616e40a1cbe536ac43a69e1b325814230295c61a10bafbb8a0e328e5 |
memory/1444-8-0x0000000000600000-0x0000000000610000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zkxloggf.0.vb
| MD5 | 5e84bc81b6cb0ea3c82b50878e7f037e |
| SHA1 | 3663c85172358e4515bbaa08ae79491dbe8b6fda |
| SHA256 | a8f8fc142ed31869d85c70f07ae6fd8061bf02c7adc2c0e9fde4b74ca86061b5 |
| SHA512 | e65b5ae25a9def4a0c494c5c7c51531b8a2298b1d95ea6d6e8bc6828555d2c54a1e73e539fe989765d4c0ff76f3a7603cd6760981422f0594de58e7b88cd61ed |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbcBA78FCC11B41415DA232AA7D56FE67F6.TMP
| MD5 | afcbff583f3c4861f2e0fec0f538a91c |
| SHA1 | 44c8b5de5545b7692b19b220d0f6ba551e66ec55 |
| SHA256 | b00ac1f1eede1f61a3b90f5dea4e58ff0c90ee00aca6bafa42923ec0772700f7 |
| SHA512 | c95f2ebb7c9013f372fbd5b3b56db36da6fe7bf5da462b3fcd1d4b2b3a2dca4065bc13761006d2e8167af18894749310eb61f920ee5d0a25fc0ae4a76880f412 |
C:\Users\Admin\AppData\Local\Temp\RES5091.tmp
| MD5 | 4072f99c9593b6a7b3ed406b1b04a392 |
| SHA1 | 710dbbcef0e662aad04f4e56949facbed9a713a4 |
| SHA256 | e4d359db7877e8d241030afa887e5ceb0ec8f5a8789ab2efa476ba6ecc8298fb |
| SHA512 | 3e46b82b6359ca82bba62649849a61620af6bed0f25dcf00de6342f6a9bd0baa10d4c905faa6c7be29d5f3cd4a9e91e22274f6ed261265152230777b32057ce2 |
C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.exe
| MD5 | fcda34e9d0600aff2c5a2d2ebe161d56 |
| SHA1 | bb34f184f79c5bd5d0ebdcab28859119b0be3fb9 |
| SHA256 | 12ee5c4c08372986757aafe7f01a575de08a7aca4b82aee071884b5548ec7964 |
| SHA512 | 1bacc5153e9e0ed8a1bd1a27c30c2a573c36b84f744b6bd3de97c3f7f47307e9fe00b3dc3b535a09497e79da006c9c5e9da66f0fcace6321e42b283b7432a40e |
memory/1548-22-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/1548-23-0x0000000000AB0000-0x0000000000AC0000-memory.dmp
memory/2380-21-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/1548-24-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/1548-26-0x0000000000AB0000-0x0000000000AC0000-memory.dmp
memory/1548-27-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/1548-28-0x0000000000AB0000-0x0000000000AC0000-memory.dmp
memory/1548-29-0x0000000000AB0000-0x0000000000AC0000-memory.dmp