Analysis Overview
SHA256
4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41
Threat Level: Known bad
The file 4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N was found to be: Known bad.
Malicious Activity Summary
Metamorpherrat family
MetamorpherRAT
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 21:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 21:01
Reported
2024-11-08 21:03
Platform
win7-20240708-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpBB82.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpBB82.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe
"C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wrycgsl3.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC4E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC4D.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpBB82.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBB82.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/2316-0-0x0000000074681000-0x0000000074682000-memory.dmp
memory/2316-1-0x0000000074680000-0x0000000074C2B000-memory.dmp
memory/2316-2-0x0000000074680000-0x0000000074C2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wrycgsl3.cmdline
| MD5 | 268844d055f8b0f883ca85c2131e4f8b |
| SHA1 | 6872dbe31540b6ad085ee9e7c5ce3836a1bfcf64 |
| SHA256 | 97f9788d33d2eeab056270031498f3b7eba2091449aaceee2d9e68dfb8c1e4e4 |
| SHA512 | 365c18e8595fd9a199315fa6ce2c660de98ab5aba11ca40996265a38affbcf42e17cea9c1aefea7e6dc1d969a5862e0fa6ac39b4e9d2cc76fb5cf0a86e812457 |
memory/2916-8-0x0000000074680000-0x0000000074C2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wrycgsl3.0.vb
| MD5 | be22d152c5bddb0ea4420c0e3113c09b |
| SHA1 | 9e72bac243685597d3249b84c63d3571f47b1861 |
| SHA256 | a965e9b517767f1d51746fdeb0ed7904f57a79da3960d0a950fba46d17482c29 |
| SHA512 | 8f084fd4a6bfaff93b0ee6b1aac4454db241495347a812e35405e9f1fc010581d4f2d8ee0a4219e1a7da32334c9a07a804561a7a934793bf0238db762bad3e7e |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 484967ab9def8ff17dd55476ca137721 |
| SHA1 | a84012f673fe1ac9041e7827cc3de4b20a1194e2 |
| SHA256 | 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b |
| SHA512 | 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7 |
C:\Users\Admin\AppData\Local\Temp\vbcBC4D.tmp
| MD5 | a7b5c6a9b3a136a569ce108a5d29d66b |
| SHA1 | 1cd127dab0ce68186d600f4bb53df9283fd6e918 |
| SHA256 | b553109a9a89163d59f3b9277d38eb9c19f1ebc0e7a82ac9fb82d98da6edb59d |
| SHA512 | 7dc221655ffff9db869ac574f00155af681ce11176c667a3ed2e4f93ea4694bd2feddbb732b2b6f1eaaecee821f71b2a730a9cc4fa469982391933dbe3919c82 |
C:\Users\Admin\AppData\Local\Temp\RESBC4E.tmp
| MD5 | a3c8eb4db259b9dbf043cb430d18d9af |
| SHA1 | 6af0ff9833c1818cf50c7141512ae1eece070789 |
| SHA256 | ad94ce8fd539c8afed418803495ca10c23a0d5562ea99ccf9086bdaea136e500 |
| SHA512 | 9dec60ae8421a9c5e758e1d31ce9f9a9309e7111fdb81a32dcad37df774813d6935b61d07447f5279ec24b00d86c888f6db4b9d56ceb54bdf123b24fa1eb44f6 |
memory/2916-18-0x0000000074680000-0x0000000074C2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpBB82.tmp.exe
| MD5 | 4023865fcf6090d776e9dda2e3891215 |
| SHA1 | 16d8c3b505214f718838e58418c8fb1f86d8d975 |
| SHA256 | 80d2cbc100929a89fa963359c0cd116f997dd8a312429f2ee8df1d839cbe81c4 |
| SHA512 | f4b598789ae4bfa17e8a44c37098cdb8d7ec9ad4fb56684968c99f8595beeb922bdf011fd8fcf482e01948f8b1234ca139ed9776742c63bc67d1adf89b14c5da |
memory/2316-24-0x0000000074680000-0x0000000074C2B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 21:01
Reported
2024-11-08 21:03
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp786C.tmp.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp786C.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp786C.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe
"C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vnpon_1k.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD2986308420432391447A732FF93C8F.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp786C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp786C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4a669a6552ce01b8166be6520c4e009b1df2393a79778ce74b4bbf7ddb59da41N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/4984-0-0x0000000074BE2000-0x0000000074BE3000-memory.dmp
memory/4984-1-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/4984-2-0x0000000074BE0000-0x0000000075191000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vnpon_1k.cmdline
| MD5 | 008444da491aa118fb84a11a4d2959c3 |
| SHA1 | a042c802bd728291e47acda7c5068b5320fe90e3 |
| SHA256 | ee943a4196134cfd236b523e048ea17caaf5893fc8062a40ab90dc79ac29b695 |
| SHA512 | a1b4ea7d418c3025a7b76bd7c9958b0c0819996965b2ae8d4478f20350976b76f5f50b06dd695223e2f13e47cc873477dfb322ef3821cfc69c9f32b189643cbe |
C:\Users\Admin\AppData\Local\Temp\vnpon_1k.0.vb
| MD5 | 84f1ac4b4cb61d4f1a1fefde07c67c33 |
| SHA1 | 5e3571d44a06c377bcc520bdb5b003e40c5e8af9 |
| SHA256 | 799283268c009e84380f00051258ae164d2140c22d0e84baf8ee0d34dfbb3b42 |
| SHA512 | 6deb48edef6c2d652b651ee60701ccdc9a1ac8fca7a2b597c35c601b27b8351be134b40311879cf6c14806d03dddf16874e68ad546eb13aeb9ab8918a5c446fb |
memory/4076-9-0x0000000074BE0000-0x0000000075191000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 484967ab9def8ff17dd55476ca137721 |
| SHA1 | a84012f673fe1ac9041e7827cc3de4b20a1194e2 |
| SHA256 | 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b |
| SHA512 | 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7 |
C:\Users\Admin\AppData\Local\Temp\vbcAD2986308420432391447A732FF93C8F.TMP
| MD5 | b6b26e752e3b2d663ed7599c4b5b6c40 |
| SHA1 | 1f3ec219ab0b89803063b5985469b5d84792c31e |
| SHA256 | 762098cb648a3afd7f95cb99c184929402e26320c474d1c1d370d81d571c78eb |
| SHA512 | f5ab05daba608502ef3ce58e566a96602903b6b5131f45d138ac999cf25bc3ab9df035cda2fcdb22fe108c1e83c8d9a94db8e1435e72e3ea86151e20b20c9e6e |
C:\Users\Admin\AppData\Local\Temp\RES7AFC.tmp
| MD5 | 898f9a61566d922fd64e5f59efc8da88 |
| SHA1 | b2554bc08922010926ec2afe3fec5b4dfa00e8df |
| SHA256 | 83ff13a4a028872981aebc225b53da956ec84533271847784955852d7f5e3b15 |
| SHA512 | 1e83b8c4cc70d888bf9b09a8f264dc5126a683bc0821d6badc82b501ba5ffea91f82b5c6f119d78240e4a0c8aaf9c989c954ccff0eb6402fdea029053e8fb8f1 |
memory/4076-18-0x0000000074BE0000-0x0000000075191000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp786C.tmp.exe
| MD5 | d5ffd4fca99a31a8736c11f6460ee500 |
| SHA1 | a74c56b060f5cd3aba0050d34e49f346924b8c1c |
| SHA256 | 2489ad6c701a55c7defbd2115d3ddaf68d31d925fffa0050ecbad0806d674eb8 |
| SHA512 | 6f76ac96c30cb3615b53f137e9eb5ddd98559c7aa3a44fda60ca385c7ad0d0adcbcf37b8a842e2b8bbc0f0740c88155a1cee8131db65f1ce68600e982cc4d9a9 |
memory/4984-22-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/1792-24-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/1792-23-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/1792-25-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/1792-26-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/1792-27-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/1792-28-0x0000000074BE0000-0x0000000075191000-memory.dmp
memory/1792-29-0x0000000074BE0000-0x0000000075191000-memory.dmp