Analysis Overview
SHA256
c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415
Threat Level: Known bad
The file c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415 was found to be: Known bad.
Malicious Activity Summary
Metamorpherrat family
MetamorpherRAT
Uses the VBS compiler for execution
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 04:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 04:10
Reported
2024-11-03 04:12
Platform
win7-20240903-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe
"C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cjhhoen5.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB710.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB700.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/2148-0-0x0000000074DD1000-0x0000000074DD2000-memory.dmp
memory/2148-1-0x0000000074DD0000-0x000000007537B000-memory.dmp
memory/2148-2-0x0000000074DD0000-0x000000007537B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cjhhoen5.cmdline
| MD5 | 8364529885735a04536a79984649923b |
| SHA1 | 52e4d6355310c4f9824914e53d57e523fa440ffc |
| SHA256 | 943fb44b886a6863a34d2c151012400fd0c13b790ce8006aef19ca7889b9b940 |
| SHA512 | 2d40ff954bcf7c29f0fd4f166ff5ba0615d13741dbbb901b53ed7df65b582b5c94558080368e2ce705ea3bf6fcf689112a8a3cbd60b3e67eb6f9375a291f57e1 |
memory/2076-8-0x0000000074DD0000-0x000000007537B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cjhhoen5.0.vb
| MD5 | 7717496b5c2187925382cbb70566071d |
| SHA1 | d67cb1da8a3ad055fc39a946db5e325db83ae7fa |
| SHA256 | 31aac4fafa8495d89dbe2de62442f17207baad495edf1418c4babf89ee64b5ed |
| SHA512 | 1ba661fc6850c10f2256605c6c60d16e2d1432e52445b456539e1ff73725eca984d7c8beb41a25ed8b97402a9de610badbf6c5d07c70db0a704c4810c2f8489e |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbcB700.tmp
| MD5 | 515eca68dab3c76a8e1af10b1c528f16 |
| SHA1 | 15db143d5bfaa105f47e8b656a0485b766e858aa |
| SHA256 | 3355335ed9ae09dd14bab2c1dec0b76f04e15123a6aa8df3a5879bb605cd25ff |
| SHA512 | 2498bd5120450ea05cf69bf6bdbd1183a5e88333486278538b39b182f4440463b173466524c4e7456d217f891b80630ae1d19fa98ebdd296c8f069cbd8725a9d |
C:\Users\Admin\AppData\Local\Temp\RESB710.tmp
| MD5 | dacd6e195513b5dd395e1d6407428a7d |
| SHA1 | edb51f2f448b6c6c6aaf9c0688a837754bb27e32 |
| SHA256 | 6578e994a45f82d17e7336685e7c65f5ad1048ed5996ef6ddfb0d5ab7189fbbc |
| SHA512 | 1567a879039598b0dbbdd943d10798789aa1d095f5dc13eb1b75c61f2a94688be8b89b34425b072b0aad9ff582ca2ab0f064a4d89a09921d711a27620352191e |
memory/2076-18-0x0000000074DD0000-0x000000007537B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe
| MD5 | 3724c45c6e845bdac7560fd6eeae0e6e |
| SHA1 | a36e39f272fe27b260e1dc144ea50e176752615a |
| SHA256 | 9e5e18acf42d0e634074264c9c58f183179bef6de9c728a2e2db18dba3353349 |
| SHA512 | af25349f0cf55be854d38879dd27de0e710285acd03418af9887529b6d123b110aa189ccedf1fdf8faf9c5c809f2e30fc2d1737ad4514dea1c97cb7e76d260d3 |
memory/2148-24-0x0000000074DD0000-0x000000007537B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 04:10
Reported
2024-11-03 04:12
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe
"C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4e-ugpkl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AAC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92A6D2CB2F5644E9B2E64CC68CE0214D.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/4124-0-0x0000000075012000-0x0000000075013000-memory.dmp
memory/4124-1-0x0000000075010000-0x00000000755C1000-memory.dmp
memory/4124-2-0x0000000075010000-0x00000000755C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4e-ugpkl.cmdline
| MD5 | c940963f45c8cb91a18e378f4c0ff08a |
| SHA1 | 56d1f12198b938a3647254772bd870b70e12d472 |
| SHA256 | 2bb2bfc22ca509f52cfbab3292cb761f618b058fef838e41778e4dcdb8c4c33a |
| SHA512 | 8f10a83962265d79813a2e25459b779a5af6bbefce9115c0b2b247cd0a013e5f57c140f53e12d6cbd79a25f254c1c5476ebdf6d7c14ce3e76a6287663696d452 |
C:\Users\Admin\AppData\Local\Temp\4e-ugpkl.0.vb
| MD5 | 4c372b8ba364cf4efe7306a60e161bd9 |
| SHA1 | 824bf5d02cac40cbae27bf9060ba82c7d6908515 |
| SHA256 | 774b0fe21b02d4f14c56e213d39779bdc370265d591aaa501e1afece76a2d94e |
| SHA512 | bbaaf4054d4d0b5076fc2a2adcf01f03287a727521ec637f5975e793ae78e1233f6c7412ef8ddb51b419c710404540f968bb1808769e5ce0168adf07e4d9e678 |
memory/1192-9-0x0000000075010000-0x00000000755C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbc92A6D2CB2F5644E9B2E64CC68CE0214D.TMP
| MD5 | ea4cc557edd440c57b265a1a3ba113f3 |
| SHA1 | fe84def0bf99f9d1c51b7d3b74db4ebb6a6d3114 |
| SHA256 | 25f9e12e3f64cd48fa9f17c9e554b59cb0a2debf48afcac3912051c3a32ee845 |
| SHA512 | 336af301a236acc0932475d3397e819c667bf2e9fc5bc4b23b9e4a127f729ac243f0c236fb68368dba5757e80f5d1633c919c230076ad353d32667f12d695d62 |
C:\Users\Admin\AppData\Local\Temp\RES8AAC.tmp
| MD5 | 8d4805a2872e949916b20e5a3741f6e8 |
| SHA1 | 0343691c7620c8e78a46d3580f359850a22fc864 |
| SHA256 | 1e504c26812fe9c8da304b1c90b6e13965cceb244bc3bf0af6cad6404208cbc1 |
| SHA512 | b42fcbae6fe55a02735dd493f94a61577c8bc189d3bea91fbc67dfa9435efa6c2c9d7322505d1f8fa4084f44618ebf6384e37720377a1eefd2395bb8bc5d115d |
memory/1192-18-0x0000000075010000-0x00000000755C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe
| MD5 | 22810df01c4b3f3277e4341ca127488d |
| SHA1 | e32b14296283f1a91ab5315010bfa5d473e7db71 |
| SHA256 | ffe33c77d827e1ca9bb2d390597299cbe06f47b6b07de2d147864f5582fd261c |
| SHA512 | 6de91b28a04a20793d46b1dfbaff8786c8570ffeb63c19385786054fd48ea03a07e9bb62bced7558b341571968d03c546b8a7ab544f02752db166b36bc6c46b1 |
memory/4124-22-0x0000000075010000-0x00000000755C1000-memory.dmp
memory/972-23-0x0000000075010000-0x00000000755C1000-memory.dmp
memory/972-24-0x0000000075010000-0x00000000755C1000-memory.dmp
memory/972-26-0x0000000075010000-0x00000000755C1000-memory.dmp
memory/972-27-0x0000000075010000-0x00000000755C1000-memory.dmp
memory/972-28-0x0000000075010000-0x00000000755C1000-memory.dmp
memory/972-29-0x0000000075010000-0x00000000755C1000-memory.dmp
memory/972-30-0x0000000075010000-0x00000000755C1000-memory.dmp