Analysis Overview
SHA256
30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446
Threat Level: Known bad
The file 30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Deletes itself
Uses the VBS compiler for execution
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 11:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 11:22
Reported
2024-11-10 11:24
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe
"C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nq0ndqoh.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8107.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc276197E7F3D74F9180716411AA52CA0.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/3108-0-0x0000000074EE2000-0x0000000074EE3000-memory.dmp
memory/3108-1-0x0000000074EE0000-0x0000000075491000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nq0ndqoh.cmdline
| MD5 | af754eb77699f9f6935edb0c37fdc7ec |
| SHA1 | 6bd1a920cf6eef2cf68a55d99454449d03acf334 |
| SHA256 | d58d10b0bb6aa4846db866317e24ade5504b35fcd1b759a435c5dce16a07f5dd |
| SHA512 | e9f2ae4ff138bec142050af7ca23c31248abe69c8f081cf04d712ca183607ec5a48388257a6248190f558dc2050e3797ecf5cb34baab82ccb1e3f1cf714c493e |
C:\Users\Admin\AppData\Local\Temp\nq0ndqoh.0.vb
| MD5 | 6aad8cff11ecc5983a4134e45f66fb4f |
| SHA1 | f049c5ad319927233fcf90fe76f35365cc83d22c |
| SHA256 | 7eea27ea30e597512f069b4f82b11c9eaecd4090a81af00397a18e562dd916c0 |
| SHA512 | 4372061c89420d968269635d61f3e9cc8f48e5e9cec75a113afc170f66c51a9cb379ad3fc691493e3cc38a2a8d77a3963069fb7e8cd783b653b626f347089ad5 |
memory/1828-8-0x0000000074EE0000-0x0000000075491000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 484967ab9def8ff17dd55476ca137721 |
| SHA1 | a84012f673fe1ac9041e7827cc3de4b20a1194e2 |
| SHA256 | 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b |
| SHA512 | 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7 |
C:\Users\Admin\AppData\Local\Temp\vbc276197E7F3D74F9180716411AA52CA0.TMP
| MD5 | a5ada5f00d91d3ff1c6b2937f036908f |
| SHA1 | 54c3b9e339a35f7b3fb72c5290546576453a77d1 |
| SHA256 | 8a42261fa32f829411ab4d1a1112526cc6d0c154a40263b868ea56b468964aec |
| SHA512 | 12763f48c941a220e278ae55316f5c9ed000365bb2697953f68e5087a78aa13b036956a85327188a8aca54bb433f4cac3250674b0e4531288932865345e44a71 |
C:\Users\Admin\AppData\Local\Temp\RES8107.tmp
| MD5 | a4c58014f85db94a3f450b21e58b33c1 |
| SHA1 | c690e03f064c2559aff6971f06d5e3e279bd5100 |
| SHA256 | af6832a50eed3954c9fcb5e853f71ea6288f0173953babcc5e9cd0aabe0bfaed |
| SHA512 | 50bfaee0fdacadbdeca708621d34905b581908f3d51708bd3dafb2792de664fb0898d6d78e93f72b76e52607e620413e190b2cb0b7781e36817b8e4bef38e57f |
memory/1828-17-0x0000000074EE0000-0x0000000075491000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe
| MD5 | d0c7f019a3d9a283a7a660fdcfc438c8 |
| SHA1 | ff8afe165454c5ad26220e6e48459a3d51efdf1e |
| SHA256 | 64dec760c38b700f5d5e6d7266f8ebbda4d6571da11d86cc4c3d95a48a02d5b6 |
| SHA512 | 3d48886e6d665c24113f924948c5a4263a2af3e518ff0e88cdb2883025ed884f1da3446b43efd9a53e4421aa874d6bb6ceb0bea4dc98f32d52decb3fe60ae19a |
memory/3108-21-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/1952-22-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/1952-23-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/1952-24-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/1952-25-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/1952-26-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/1952-27-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/1952-28-0x0000000074EE0000-0x0000000075491000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 11:22
Reported
2024-11-10 11:24
Platform
win7-20241010-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe
"C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lieq6qms.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA362.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA351.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/1688-0-0x0000000074F01000-0x0000000074F02000-memory.dmp
memory/1688-1-0x0000000074F00000-0x00000000754AB000-memory.dmp
memory/1688-2-0x0000000074F00000-0x00000000754AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lieq6qms.cmdline
| MD5 | be940e1e9f7e26623414714605318410 |
| SHA1 | c1d429f2e3416710b26cd2bc7188b4a0fbf7299d |
| SHA256 | 0246d56a67f3de3337d23953c02a4f20d46f0a0caf74e8bc3aff1f6a3614aa2d |
| SHA512 | 5d654ad845589ff379d4fef2e3a55bcdf79a52197780791dabae541a168a44ff20b321d837f95e11a9d93da4fe18cfb942939ae4c105b265933735fc2759a8b5 |
memory/1236-8-0x0000000074F00000-0x00000000754AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lieq6qms.0.vb
| MD5 | abd00e1faceee6d0117c718905f6c7a7 |
| SHA1 | 7f2b78a37e11aa41483d046a1ae356797fee9de0 |
| SHA256 | 0fe5dcf596e48cb9b62b71469bc5b2f39283969831ba02ec01d0eea56b90e4df |
| SHA512 | 52078a697fe59d7d9f3f53661ca9b44efc97106e8e153b9675762ce90f27607bdcaf00146fa8d88767974fd851b7761a0a521d4ef9e3dc4cc58ea159bf7e2ab7 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 484967ab9def8ff17dd55476ca137721 |
| SHA1 | a84012f673fe1ac9041e7827cc3de4b20a1194e2 |
| SHA256 | 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b |
| SHA512 | 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7 |
C:\Users\Admin\AppData\Local\Temp\vbcA351.tmp
| MD5 | 7402ee4455ab376a7495ffd72b57235a |
| SHA1 | be5a936be83e896a7a43e560f36b87b804f7999f |
| SHA256 | 4f68aab4ee50f5c81274f3e8f29cbe67ad5d3b5d8277b54e84b68c676caf091d |
| SHA512 | f0b5ebb89140e7dae51ce3417d1d36ffebc5231327ae5cba4eddfa32ff5cfcdb24ac772451d242b494659577fc6e59c08f2093887bce83dfe538d5c1c9e47827 |
C:\Users\Admin\AppData\Local\Temp\RESA362.tmp
| MD5 | 8045584cc180d81033a1bae5e8fbd642 |
| SHA1 | 5bcd8598247c434bd46e4af2443f3a4c03264ddb |
| SHA256 | 65343ea69eba57220412cefa19a836edba73c8fc95f0334038deba1c33008ac1 |
| SHA512 | 84553f4ed9a367b0c4e03ba2db6d865c122712e388a4b97755e3918f5decfce76bb06f1c2bf36bd6ba1c8f77ad5ebda24e2e5b2b52f3d28cae6a30e1608606e1 |
memory/1236-18-0x0000000074F00000-0x00000000754AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe
| MD5 | 56343538b3c7a311ae759a5d54c171e6 |
| SHA1 | b072fe277ea1e887b78486905117a4719ee45c9c |
| SHA256 | 11f419e0ce8f6a24b62cbc4e6a4a0ee07a616fed678daf21ba85d1b445405140 |
| SHA512 | f22279675fc1020fe14832cec29d8313045e7db292558db2b31e86a69f0a615d11ae69deece56689c9e5c5c45c2200417c5eec5afd596edd2cd2fb9c334ce386 |
memory/1688-24-0x0000000074F00000-0x00000000754AB000-memory.dmp