Malware Analysis Report

2024-11-16 13:11

Sample ID 240409-c5aweafe9t
Target d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8
SHA256 d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8

Threat Level: Known bad

The file d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 02:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 02:39

Reported

2024-04-09 02:41

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8A93.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp8A93.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8A93.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2936 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2936 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2936 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2164 wrote to memory of 2524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2164 wrote to memory of 2524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2164 wrote to memory of 2524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2164 wrote to memory of 2524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2936 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe C:\Users\Admin\AppData\Local\Temp\tmp8A93.tmp.exe
PID 2936 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe C:\Users\Admin\AppData\Local\Temp\tmp8A93.tmp.exe
PID 2936 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe C:\Users\Admin\AppData\Local\Temp\tmp8A93.tmp.exe
PID 2936 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe C:\Users\Admin\AppData\Local\Temp\tmp8A93.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe

"C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vs6v4eyw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CC6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8CC5.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp8A93.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8A93.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 tcp

Files

memory/2936-0-0x0000000074B80000-0x000000007512B000-memory.dmp

memory/2936-1-0x0000000074B80000-0x000000007512B000-memory.dmp

memory/2936-2-0x0000000000310000-0x0000000000350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vs6v4eyw.cmdline

MD5 a803e8c57e4073a71cc7219c134ba437
SHA1 ccdc45ec4a492f64ccbc500188e4f76e15ee0c70
SHA256 635543fabe314c8c2174e3a802cd2868af7e5bd6e5308cd197d287eb8501a3b9
SHA512 a88f0cda63a5c204ab8f203b0c8184a6ade7021fd0cf5ac7d4e6410bf2599b7d34d7dadb614eaea44463dcfe5ec5be2be812f8c15506857dc4c61dad3eecd75c

memory/2164-8-0x0000000001F70000-0x0000000001FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vs6v4eyw.0.vb

MD5 8f7f8b8ad728dc6ea18a803e6164997c
SHA1 4161e603ae10befae9d5f6bec50faee5882bd5d3
SHA256 e8258e9c43baf2a29798e019cfdac720794903a7fa5c0584f82aad4c3b3df85a
SHA512 1fc55d33dffeddf0c74458ebab5884331e3b43adc11976af7bbb844a48979f117b5110b0aa045eadf024fd7c6d0fca2fd21a6220a1da820aad36b7fedab386da

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc8CC5.tmp

MD5 96a073bfe00dc80b9f53b673f8bd2b65
SHA1 42a89902e027c6bbf12258f5914158cf8270a2da
SHA256 465eba3cdece278067438416bfa8b60c988d2e9bb8caac2baf95414f9dea1f19
SHA512 77e3b0b4829227bd755236ed2383455c8befe2f530a5a99553f57357cbaa6a53f2824da84663061eeb8be406d218b897f8cd703a78f10eb73f2cd8efc9d4b605

C:\Users\Admin\AppData\Local\Temp\RES8CC6.tmp

MD5 888fb38b5db347f51a7faf0959e0bbfc
SHA1 7b1f2f1a3b82796c41535a5786a7b4c3f99cfc42
SHA256 192134322a5c4dec7ebd7a077f6a41630f2235154c39f0fbe9bc1402329a6107
SHA512 4f23470540aa1425cb106329eb0f0c437d612509d6a5ff21c1263f4cbe9a398ec1c1d3fbea4ce8eb4e73fcd17fb9d077afb9a338bc65db2e40ba33891706ed9e

C:\Users\Admin\AppData\Local\Temp\tmp8A93.tmp.exe

MD5 69cd4b5ff6168d58dec055c771c1d472
SHA1 e51557d342705ea7890d220ba4f853a24d182d9b
SHA256 bb1f08f855945dd2d43ec47249a2fd7f98552eb13612e475e9c537f943af7ec2
SHA512 2e4b3f8623faf0012b2e0ab2a0bf89720c53fcef5376f19599109b5d3fca9f80cfb1341402b2d8ea67ee6512795cf6d398e3451c6b7a12e32f009567993ffd4c

memory/2612-24-0x0000000074B80000-0x000000007512B000-memory.dmp

memory/2936-23-0x0000000074B80000-0x000000007512B000-memory.dmp

memory/2612-26-0x0000000074B80000-0x000000007512B000-memory.dmp

memory/2612-25-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

memory/2612-28-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

memory/2612-29-0x0000000074B80000-0x000000007512B000-memory.dmp

memory/2612-30-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

memory/2612-31-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 02:39

Reported

2024-04-09 02:41

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3FC8.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3FC8.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3FC8.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4028 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4028 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4028 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3088 wrote to memory of 2124 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3088 wrote to memory of 2124 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3088 wrote to memory of 2124 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4028 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe C:\Users\Admin\AppData\Local\Temp\tmp3FC8.tmp.exe
PID 4028 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe C:\Users\Admin\AppData\Local\Temp\tmp3FC8.tmp.exe
PID 4028 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe C:\Users\Admin\AppData\Local\Temp\tmp3FC8.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe

"C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-nztqczk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E98A8D98B54172A0EF1257B8F1432.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp3FC8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3FC8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d02f0822617b55339b92959f1ff2751404902fdafd495ac80362526d6d510fa8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/4028-0-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/4028-1-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/4028-2-0x0000000000C50000-0x0000000000C60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\-nztqczk.cmdline

MD5 5931044362dd615bbd3438f54f5099eb
SHA1 be0aa6aba366a7f4c6c3ce9d258dcc4aedac7068
SHA256 9e93733452a92921b8c6eb4c13ca382836a4d481c6763520231d0f070c99c240
SHA512 8a470a4a6369b0db161234793f84873fa62e7e62ca5ef4da74f96733bbe9d95e878d6aa5dcd45cecb0f2802a154a2af5c28063d6e28e06bde2d1f16b359f2932

C:\Users\Admin\AppData\Local\Temp\-nztqczk.0.vb

MD5 16f893727b80cd7272e37910f4e450cf
SHA1 2e82b9d8e126309892e5008eedcd0ac98bec2b69
SHA256 4fd40477f79887d3a5d2586c7559fbd3bd736c85e6cbb76f2dcee2db4d1e400d
SHA512 94e5f34a8d96072d1a4f8308250604da5a3f4866a5ae5bd164908ded67c0dd551e700c6a9ad5b2b928ba97b036b217dcd7c49bd339d3fe77949a1aec56eca1dd

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc8E98A8D98B54172A0EF1257B8F1432.TMP

MD5 432be9f28015e8cfd535e9becd8735a5
SHA1 73221053e1a3cfa29ced77f09947e02e9bbab382
SHA256 14a43dc7cad0f6c5d56b4b71cf70b5e259bfdee2cc7004187659cddef41a56b4
SHA512 624d6bd867c764bdec4db8ffa50aa65784cc4c4baa953227a14727b3abdcc401f90aa36b2f22f4d8662c1719685f60004190443b5dcb073766c6c9a16c5c338e

C:\Users\Admin\AppData\Local\Temp\tmp3FC8.tmp.exe

MD5 b28be496251246d2dd65a3afc7042205
SHA1 36dee12fcfad5abcf5d187fe6d93ea27ec80148a
SHA256 c6895fbbde9e96091144aec273b77f3d528d9eebfd64407d1b73af840ce8179b
SHA512 71b74f165565ca12a75ce81b3edb8954338b6f18a887a2ab860bad0f45d8389203d69ed780cad4533f48a28169c587d02f9e382f8f529e0e180ba581b6b79047

C:\Users\Admin\AppData\Local\Temp\RES40A3.tmp

MD5 587e18104cfee2affa89b23978352014
SHA1 0ca53a412dd9b3c8305ff832e4cc74a006141c1c
SHA256 7820826d07d346c1eb0c4e72c86127292a8ceb96b2c993eae6e42f4d0e41f485
SHA512 ebf69f9f89d3e0cc6bb4df62c4876410909993424587d54b3291e4ce35254fac3a248bf297fb76b57492b0adc8ef5dc2ab6ca64ee8a4f4104b4900b1ed507816

memory/4028-20-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/2812-21-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/2812-22-0x00000000008D0000-0x00000000008E0000-memory.dmp

memory/2812-23-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/2812-25-0x00000000008D0000-0x00000000008E0000-memory.dmp

memory/2812-26-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/2812-27-0x00000000008D0000-0x00000000008E0000-memory.dmp

memory/2812-28-0x00000000008D0000-0x00000000008E0000-memory.dmp