Analysis Overview
SHA256
03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0
Threat Level: Known bad
The file 03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Executes dropped EXE
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 02:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 02:26
Reported
2024-11-11 02:28
Platform
win7-20241010-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpF1CE.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpF1CE.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe
"C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\psew8hc_.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF567.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF566.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpF1CE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF1CE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/2336-0-0x0000000074AB1000-0x0000000074AB2000-memory.dmp
memory/2336-1-0x0000000074AB0000-0x000000007505B000-memory.dmp
memory/2336-2-0x0000000074AB0000-0x000000007505B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\psew8hc_.cmdline
| MD5 | a604b78b38d18966e4c1f6e6a1a6172a |
| SHA1 | 5729a57c1fc7485907d3330ec90135ab4de79874 |
| SHA256 | bc4afdd8ac467ae88aab70683775b4f50fee188e6e0a23cffd5568053bf323b8 |
| SHA512 | b1e084a676fef1f1356b8a437d5076122cc65d118e37b96e9db7878dc94bed5f0dcb8173a05b18e1b49f071ceddbd2cf98cdc732582b1b2832542431d0270463 |
memory/2608-8-0x0000000074AB0000-0x000000007505B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\psew8hc_.0.vb
| MD5 | 5b1322ea0584f3bee7548b4230791681 |
| SHA1 | a499d23946738de3b98b16c9a6fd9dcc80bff3ab |
| SHA256 | 290d98be73b163cb2d6f195a886444006a44a3aaaae5f71db2260f54fc277f45 |
| SHA512 | a5ad3f90823d824849073b8ff46fb55ff176622aea7215912c57da91420c28f72a18c828a062538e61f5cccade3b800183b4b95c11107ad2b55b3716b20f37d0 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 484967ab9def8ff17dd55476ca137721 |
| SHA1 | a84012f673fe1ac9041e7827cc3de4b20a1194e2 |
| SHA256 | 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b |
| SHA512 | 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7 |
C:\Users\Admin\AppData\Local\Temp\vbcF566.tmp
| MD5 | e57c616f1f39d15a5fab236f5b329fa0 |
| SHA1 | a9f3ae9152e634221bba1790aac0b7ef2b456ad8 |
| SHA256 | e845ed4f74bff7db5707f135e0ba542b2c56e6595519a42704c5035290c254b5 |
| SHA512 | 384b93dd837aa4186566a56122c2405b5640937c60c4ab86e85a17161e6d871ae7dc88aed28ed0896934a8f9a616096d50ba172d061fd128ba713f329c88b1d0 |
C:\Users\Admin\AppData\Local\Temp\RESF567.tmp
| MD5 | 1eae678cedc226e82aed999a9cf3f2fd |
| SHA1 | da800be72d2288e9a1cc114c13fb34c96f5e23e4 |
| SHA256 | 187a4c649e8a69e74f5085cfa1ec6866bce53cf0cbee4701c9ec122c60b38248 |
| SHA512 | 67a88e8fba56c70f561ac47056e99e1afb9a0a0553358d75fe60c8c387fbf3c7b6e2c2316e8c4109e76250ff8ccc268b066bd010ac9d85b18660e946491c38e4 |
memory/2608-18-0x0000000074AB0000-0x000000007505B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF1CE.tmp.exe
| MD5 | e5bfa0ac6fdc1f14e45c0e19c3fa28c7 |
| SHA1 | 0da09b5102b1a5fd7e44547775db26ca5c18d1e5 |
| SHA256 | eb9983f6939ac30fb1b159b74a97900b1745404a4107a44676a4ccc2b6f85b06 |
| SHA512 | 0450285303c076bad69edc67b9b116a5e7aea4ec4cd31b17b1272f648e945bc9b6b5fc9a6f9b4e200f9dae1f79074b28fd80a0decf6faee8acc5d24ce50866b4 |
memory/2336-24-0x0000000074AB0000-0x000000007505B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 02:26
Reported
2024-11-11 02:28
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe
"C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dhc_svqb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7F8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc48BF648AA9B84328A1D9B1B44D89215D.TMP"
C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\03109a8f0dd82913b5735c298fe4c3045a981e8c8b7620e1e02bc26b4e9f23e0N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/4544-0-0x0000000074CC2000-0x0000000074CC3000-memory.dmp
memory/4544-1-0x0000000074CC0000-0x0000000075271000-memory.dmp
memory/4544-2-0x0000000074CC0000-0x0000000075271000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dhc_svqb.cmdline
| MD5 | 4e6eee52780fa725b98403af9e3ea8ad |
| SHA1 | ac279c7e6b8a25b078bfa0ce9a78a2199a4e03ed |
| SHA256 | 6ffc32096af854dca2b7e1f4f4caf5de6cabf127a92f355d7f187a26c166d9b1 |
| SHA512 | 7b33a769597528199611e1663a2962997e1f3d2598dd5c01038189da74bca078ad322f94acca8b23dfa754a1bfedbb9908bda85c7a425ad877ab1447ccfcfe6e |
C:\Users\Admin\AppData\Local\Temp\dhc_svqb.0.vb
| MD5 | fb9e9283052ab8952457b1ced2222d3c |
| SHA1 | 7d11412a546b96e59b1419a025ab3402baf19f6e |
| SHA256 | b3d37bdf19c7cc32176d74262743406f4a61ec6e9f294de6aed97c91b07c8c86 |
| SHA512 | 774237022f5bf342d5a95129caf0972045863df9ec9d0c6deb2710f30ead173fab0e76edf1ed47a9bda7e4daa675aabea589b280acfd9ee2564b442b7ac50ddb |
memory/2792-9-0x0000000074CC0000-0x0000000075271000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 484967ab9def8ff17dd55476ca137721 |
| SHA1 | a84012f673fe1ac9041e7827cc3de4b20a1194e2 |
| SHA256 | 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b |
| SHA512 | 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7 |
C:\Users\Admin\AppData\Local\Temp\vbc48BF648AA9B84328A1D9B1B44D89215D.TMP
| MD5 | f4cba9d6b358102af8439c7c880fd690 |
| SHA1 | 74d757483bcfb9fe9910da9133889038f4a260d7 |
| SHA256 | 99599d7e36c745ded2ffa1a3681e2e7eaee6333039e510d11e854428aca8338e |
| SHA512 | ddba63a8f3f077424c9be5df895da9a5e45c64a1eed19606aa9ac2bff6adaaddbf7bafcf1d305b943324165361ac2f0f1d7f4303ff649d209f10dc9acfde8f01 |
C:\Users\Admin\AppData\Local\Temp\RESA7F8.tmp
| MD5 | 0ce4bc341ae7718686c983b26280a152 |
| SHA1 | f498a2041f6f98412a84ea36829025405bf1339a |
| SHA256 | 70767902d8ccdf4b803bef4e448c5eb666d8db2717d00e573d6a9db1ae793da7 |
| SHA512 | 2378e85af57ce5c5b829a730d4b9d3be7f0cd271995d1c888784620ed9ab402a69aa25a442eccb832b6b521789785e76fe125df89a7b918226484d55507163b8 |
memory/2792-18-0x0000000074CC0000-0x0000000075271000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA6CF.tmp.exe
| MD5 | b5b3e1ec12a1265f5471a73fb1c431a6 |
| SHA1 | 15b9fe79164c6668ffc534e9ee9af1a15bbb0561 |
| SHA256 | d79e0da37611bfd381d7f50f731af9ca52e1f378920dda052fc2ffd8cb1fae05 |
| SHA512 | 4ac1aea3adac8879d7f1b852235100a8a8791ca05d8ac272808ceadbd60cf5b3eb28fbd5d4c3e5faf9330a69091a4e74ea60704813aca2c28b3fa2544c29806b |
memory/4544-22-0x0000000074CC0000-0x0000000075271000-memory.dmp
memory/3716-23-0x0000000074CC0000-0x0000000075271000-memory.dmp
memory/3716-25-0x0000000074CC0000-0x0000000075271000-memory.dmp
memory/3716-24-0x0000000074CC0000-0x0000000075271000-memory.dmp
memory/3716-26-0x0000000074CC0000-0x0000000075271000-memory.dmp
memory/3716-27-0x0000000074CC0000-0x0000000075271000-memory.dmp
memory/3716-28-0x0000000074CC0000-0x0000000075271000-memory.dmp