Analysis Overview
SHA256
d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5
Threat Level: Known bad
The file d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Uses the VBS compiler for execution
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-02 16:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-02 16:00
Reported
2024-11-02 16:03
Platform
win7-20240903-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpF612.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpF612.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpF612.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpF612.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe
"C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bxnjqu5x.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF94E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF94D.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpF612.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF612.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/2112-0-0x0000000074471000-0x0000000074472000-memory.dmp
memory/2112-1-0x0000000074470000-0x0000000074A1B000-memory.dmp
memory/2112-3-0x0000000074470000-0x0000000074A1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bxnjqu5x.cmdline
| MD5 | 9cc2edf4254ff4398d45af4b9c7e82f3 |
| SHA1 | 45423508bcf8f10adfbf357b93ac4fbd57903adc |
| SHA256 | d6c3a2cbf0d2c9eb678e8efe851c0fbfb8f728d9c62cee08f0071cbb0c4e527b |
| SHA512 | 2b8047fdc8bf2f3c92372aeab3f2eb778c9fb6cca2c1d8b68221d4132ad55e5958ef4312ff1df9b1de154ba5b4b67e393a2a6aac7a398ff512dc69624fafd8fc |
memory/2796-8-0x0000000074470000-0x0000000074A1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bxnjqu5x.0.vb
| MD5 | 381b75df19fbd2ca7b20a24ad82a2081 |
| SHA1 | ef5ade53e64f2e561a351ada72d2770a4cd75b7e |
| SHA256 | f503ae1a3ff33937722bf30e3399bfe1f97f8314e00e568bb5af31d435e94aea |
| SHA512 | 69381926fcd641fc9b384fc844e0c7a44afc885756fb7b116208584fae20033da9e8c7e50bb9461ef4c701b256187d51be328c00c725347d9c5a2f449fcc20c6 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbcF94D.tmp
| MD5 | 9b28a743347c76ff1aacd6d03d714318 |
| SHA1 | 50fccd3bcdc140de4423e42d84b87e01fc8f4e0e |
| SHA256 | 3277025b2941d239c105c4e41d69991c7f8c4184157f664238a22a63d1a9d2db |
| SHA512 | 603e328d83632a6fa9682a7264b76acaf95e4b91555df602619ae93a861606997367af090a757d20415f5ab8428db7694e97f1ae4d78458a88256b88f5ecf0fb |
C:\Users\Admin\AppData\Local\Temp\RESF94E.tmp
| MD5 | 98ed2dfcbc6687268acfa43bdb8cca0f |
| SHA1 | 2a702f4e9aebc14c26cce7777cee536ecc3aea6f |
| SHA256 | c6a9960e5b787d7ad64e32fd77a29dcd2e6ae7f2fd19999d2887a4182181a62f |
| SHA512 | cfe6def41e65b2c539dc75cdfc5fa06e2a84fb26ad144b18c273b2036f0812874116ff4b5febc1f2074d42f6273401c2ec20e8bccfd182efc8113301f080f5a7 |
memory/2796-18-0x0000000074470000-0x0000000074A1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF612.tmp.exe
| MD5 | c6b01d5f457fc7458f155433f77a8710 |
| SHA1 | bf784ac7ecc6d9453b689795b560fc1be57507a0 |
| SHA256 | b28099fa74dc3631ff4528066a72e7231db073a739311cef2bbeb7590b0c46a8 |
| SHA512 | 9416ed907ab1bc7dd73b30cf1ff81bf12f9cb37da5851af6faff8e49cec7dc93838509f177ba853024c540c9042d9c9d3f39b0844a974473f5efcdc6fcfa6df4 |
memory/2112-24-0x0000000074470000-0x0000000074A1B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-02 16:00
Reported
2024-11-02 16:03
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp7A50.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp7A50.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp7A50.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp7A50.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe
"C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lyxlnmrn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C83.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC64440D76494C05A81971A55A3BB74.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp7A50.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7A50.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 101.11.19.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/220-0-0x0000000075542000-0x0000000075543000-memory.dmp
memory/220-1-0x0000000075540000-0x0000000075AF1000-memory.dmp
memory/220-2-0x0000000075540000-0x0000000075AF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lyxlnmrn.cmdline
| MD5 | 4bc701adb6c3473eb83d47d1d6d7fa77 |
| SHA1 | ff907566a80a3cc62029cd86f3a01aa51f088dcc |
| SHA256 | 22fd77be8c2cbda7e71cade24683c2c7305affe8802d7050ce3e21fdd3e3d928 |
| SHA512 | d044ba0a5567a531f0564077ee6e054258d86fac20c0313e368f7c051cb58fe17abf998326d23b19a6e411664c7f38e8863130bb626d55c4ead79fbeda6344fe |
C:\Users\Admin\AppData\Local\Temp\lyxlnmrn.0.vb
| MD5 | c8330ec979deb05a297fd39ea659b6c6 |
| SHA1 | 0c90f8b03bc4c9ab242f7b11b9932e68327e5129 |
| SHA256 | aa016718f760d2f729bae273f134fd90620956ca27ec7e87fb8055547c285089 |
| SHA512 | a527e8a5c67e1e2f8cc534d2ae1e3b23111eb031bbacc990640cc47f40ca0b58b1321e4b38a6673d2d0b62c59047263da11adbde9673e4f95ff0b799826a8b19 |
memory/1348-9-0x0000000075540000-0x0000000075AF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbcEC64440D76494C05A81971A55A3BB74.TMP
| MD5 | cfaa3beea2dd2952faa678cf1833df50 |
| SHA1 | f96729eb64a0456436d2a5b49f871392daff844d |
| SHA256 | 0a141d98bd3720d6ba13a1c1d80cb52bdfddeba66efa1ba9de2279093a8014e1 |
| SHA512 | 38d786a62d5a257ae650b9a532adc04e1a263d537baafc2461fb867748d1b863a441aa60a6cda198cb7ee89d0394a6f992ee8082751a084879faa5977c47d004 |
C:\Users\Admin\AppData\Local\Temp\RES7C83.tmp
| MD5 | 104335c2c50f941d9f7bc41048d78392 |
| SHA1 | 0ce674f43952394bbcbefb38c68874598ccf53d6 |
| SHA256 | f75c8b74acfc7579cc3fb3c86975d933e5dd4787d8d2a063800190642a7bbc63 |
| SHA512 | 2a02107f99ba59edbe14181fe77166ccdb4e361128717cfcfff30a1dc36242ac001e0313c2cf3f8d3f05e2bb86135440ed871536d306001455ff079d075ead0e |
memory/1348-18-0x0000000075540000-0x0000000075AF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7A50.tmp.exe
| MD5 | a90be595c5b76d4c8941c4bf3990bec9 |
| SHA1 | c73b91f13aa267fea163fd7d2f3502301a43f003 |
| SHA256 | d98d574faa2298a525f89330a4063d7d29f253a62eb772a521510ad565195edc |
| SHA512 | 6e566dc36bbed105eba684cf76470d1aba9619769aa725cc86d98d328878b8ee0247eb995fa451228134ab037db58ad21fb27a5a0708ff457b4106c8768f97dd |
memory/4320-23-0x0000000075540000-0x0000000075AF1000-memory.dmp
memory/220-22-0x0000000075540000-0x0000000075AF1000-memory.dmp
memory/4320-24-0x0000000075540000-0x0000000075AF1000-memory.dmp
memory/4320-26-0x0000000075540000-0x0000000075AF1000-memory.dmp
memory/4320-27-0x0000000075540000-0x0000000075AF1000-memory.dmp
memory/4320-28-0x0000000075540000-0x0000000075AF1000-memory.dmp