Analysis Overview
SHA256
a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610
Threat Level: Known bad
The file a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
Uses the VBS compiler for execution
Loads dropped DLL
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 01:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 01:58
Reported
2024-11-04 02:00
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe
"C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oiqsv2ey.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES886A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6DDC5083998403A895D4CBD9E2457.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/4084-0-0x0000000074BB2000-0x0000000074BB3000-memory.dmp
memory/4084-1-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/4084-2-0x0000000074BB0000-0x0000000075161000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oiqsv2ey.cmdline
| MD5 | 41f058954a98b9edc1f80ba8738d4917 |
| SHA1 | 90e999da481a53e5d58076cbdaa19291a9a59dc6 |
| SHA256 | 3d48dc2e7f16b128159852e9124fba80d4656e74b6643b0550b833e5df290f15 |
| SHA512 | 9d3da70715b37610c57934ef473e30debee6a1d65cc87e541347fd0feaa1b6c209befe3e08b4397707d43926edcd1659326c66c9ea04cd2bd3ea21b88ca98c1c |
C:\Users\Admin\AppData\Local\Temp\oiqsv2ey.0.vb
| MD5 | 2d43da31d22b226443b7ad9724b92a6d |
| SHA1 | 342d70a07b7007edfe6efdbb9a7cb79eb48b2937 |
| SHA256 | e23ce3c32d6e930d4955ac80e76a2159c3871af3e093f7e90b66ccf32d0ce672 |
| SHA512 | e8e5033a4a13eea5ac2df90b0e6ff2710bdadc133cc34465f1803b0031de3dd5fafb88cab3485471ae5ba275b91999ca83f08117503989481b68afeae9b81d85 |
memory/216-9-0x0000000074BB0000-0x0000000075161000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 484967ab9def8ff17dd55476ca137721 |
| SHA1 | a84012f673fe1ac9041e7827cc3de4b20a1194e2 |
| SHA256 | 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b |
| SHA512 | 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7 |
C:\Users\Admin\AppData\Local\Temp\vbc6DDC5083998403A895D4CBD9E2457.TMP
| MD5 | fc11ea13424aa8429a24a022962ea6aa |
| SHA1 | c9e3650897479214850263cb7b1fa9d7869d6a15 |
| SHA256 | 1e65ce00f19c4c393a4b7b7fcecfdc96ce4c48c39ff4bcc40afc1e2f76d69dd7 |
| SHA512 | 6bcf21de9bac68e5b27fc2ec6692e94327aab05e260251eb5c8fe6d9ac382b3b3fa468289f03ddd82c99463cf7f65eefac63a1c8dc4128f5042f7b286eed5598 |
C:\Users\Admin\AppData\Local\Temp\RES886A.tmp
| MD5 | e61e8f3a8f8011df5b572a0dfe09e7cb |
| SHA1 | ed9b05984786ef8083594f929f6b82c8eb2e3559 |
| SHA256 | 02becf6345c0f7b41c9f01cf1076d33361301ac17f8d83ea50fa02e8f53597de |
| SHA512 | fd9794671a9c0bafa50d7a541a6705a790c14196543e9245fe18b7329a0151194d47131d0c0ccbdba26f87af7276453b8b66208106f851f335f3f179b588ec38 |
memory/216-18-0x0000000074BB0000-0x0000000075161000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe
| MD5 | 799cfe32b28fe49c1ea2361b2bbb429f |
| SHA1 | af92f4a3ba19d4bbbcbff6981e755f90f56d29dc |
| SHA256 | d98ad682fd28aca1ebe2dbe56f80dd4be624095aefa0429b15af986cfce73abc |
| SHA512 | 4abcf2b6a8a400ac227a20fec60d82ab073e8c3814c732b39c3fee38c97b2f105a81c00da33bac39decbf82a857457ee48c62bc13f1f513dc3e86eeccb372660 |
memory/4084-23-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/2452-22-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/2452-24-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/2452-25-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/2452-26-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/2452-27-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/2452-28-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/2452-29-0x0000000074BB0000-0x0000000075161000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 01:58
Reported
2024-11-04 02:00
Platform
win7-20240903-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe
"C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jaldkrmo.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CE.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/2068-0-0x0000000074D11000-0x0000000074D12000-memory.dmp
memory/2068-1-0x0000000074D10000-0x00000000752BB000-memory.dmp
memory/2068-2-0x0000000074D10000-0x00000000752BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jaldkrmo.cmdline
| MD5 | 3c3c99b197e5c5a210413b18a00e47f2 |
| SHA1 | 760b575c2086f602f7104e4104c8dc277e3bb47e |
| SHA256 | 2292a0c6378b74d3a59847d485f862f67084f5548b0e0c12544dbdbdbc08365d |
| SHA512 | de1195fc5ce12ff0140f2bffae79cc9b923b43f88e4f31e01fdcf983a9d4bf24260e4969a8c0bfe3d15fed89d96f5b5c77ecc0220d38a9d9407eddeee37c9bed |
memory/2832-8-0x0000000074D10000-0x00000000752BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jaldkrmo.0.vb
| MD5 | 65be1c9ec8946f955bf726f82ab538af |
| SHA1 | db5ecf08093186e4cfa0c62233c222a230ecef07 |
| SHA256 | 61c4a9eed48b37c74b371149f53ef71a3d0233264c078128150b16ae837e2697 |
| SHA512 | 53f80f0e69f10f2c24231d295d036a829edd019a7a3652266b8d60f0ccce26b210ae23459c0184a6df199bbec191f378a86b711e6f48eddd4c336e3c16861860 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 484967ab9def8ff17dd55476ca137721 |
| SHA1 | a84012f673fe1ac9041e7827cc3de4b20a1194e2 |
| SHA256 | 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b |
| SHA512 | 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7 |
C:\Users\Admin\AppData\Local\Temp\vbc2CE.tmp
| MD5 | 75406e6f33f9a1f3a00b4e51b2df31ef |
| SHA1 | 847fc8a6f51d0a5bce417fb7b413541bf0cbc2a7 |
| SHA256 | f892fb45345eab8488e516638a0e252ef4b0013a6ed07db9fb217fd80d5e8898 |
| SHA512 | 2f491227c8f4e767344a517ee163474e01d8bfefe3338b4ef1d217e6ccd663515ac2ee5dd91c0607d6592a12b26242bf9d97e5dc420ff9f326ee975970accead |
C:\Users\Admin\AppData\Local\Temp\RES2DF.tmp
| MD5 | 4ffae47b9e6ee1cbc5bc447d86ed9199 |
| SHA1 | 347bf66e4c03da89ef986cccb8eb5aa45ea1ff1a |
| SHA256 | c09f0085dec225e551167b4a3787b50d59e13200f76cb841dbb1599e0be607a2 |
| SHA512 | 503504d6f4a5c63f9d3f59d1b507fceae1221087a76293e33f79689572b4635dffd107dcbeae051f361c2f24d27ba57b58622963f6e56021de5d6c4eb47bf27a |
memory/2832-18-0x0000000074D10000-0x00000000752BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe
| MD5 | 90adcadfc936a12a5426f857f0cc6032 |
| SHA1 | a2fcde208c0dd519101bf611dd75f2c3da2026f6 |
| SHA256 | a8eb1d1cbc324b6a71678d399adefbdb441226c6b5f9650bb80eb482f4e6df88 |
| SHA512 | 9d528aed2ce1a02c3b85bd436bde010e6158035c2e7d16f5d844be137084d4443f5c273547bb433e2452314c101abc14c21145884aeec6660e6ca021db24f977 |
memory/2068-24-0x0000000074D10000-0x00000000752BB000-memory.dmp