Analysis Overview
SHA256
e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76e
Threat Level: Known bad
The file e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 10:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 10:28
Reported
2024-11-04 10:31
Platform
win7-20241010-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe
"C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xdprodwh.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB48.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB47.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/2296-0-0x0000000074591000-0x0000000074592000-memory.dmp
memory/2296-1-0x0000000074590000-0x0000000074B3B000-memory.dmp
memory/2296-2-0x0000000074590000-0x0000000074B3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xdprodwh.cmdline
| MD5 | 257b3127da7f29b12d4944f38147f96d |
| SHA1 | c5ec4988e40afc0a94de05fcd7c67e7382e28be3 |
| SHA256 | 671dbc2e2fa51ebc79839345619cdcb02a563db789c0143d2685d199b5df7a5a |
| SHA512 | 95051aacf3bb935256e10aab885206b833a9edc651712cc4b983fca0484425346d36728e19b78d911309af6e427659f0d0f5239288446c740c5562164396ee7d |
memory/856-8-0x0000000074590000-0x0000000074B3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xdprodwh.0.vb
| MD5 | b36c609ab2cd248735fd0d3b83cc4837 |
| SHA1 | eaaa30d55bdf349fc1bae4d56e5da8038bb2832f |
| SHA256 | 5742f0518ee89df746ddcc629188e3c9561540faeb8043a56936d4457ed160df |
| SHA512 | 691a6a73c66ca8b14b4ef8806fdce6b2b1569e13b59f9a50a3e3720d53fa8e7bb109746e8ca97cc1a7066a0fd2d152f066771840d89bca31de9b7f83f9ad6d90 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 484967ab9def8ff17dd55476ca137721 |
| SHA1 | a84012f673fe1ac9041e7827cc3de4b20a1194e2 |
| SHA256 | 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b |
| SHA512 | 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7 |
C:\Users\Admin\AppData\Local\Temp\vbcB47.tmp
| MD5 | 13919ca909b3c480200a1541961ef351 |
| SHA1 | 53ebe955f84b543d17eac71d2421414f3a620a52 |
| SHA256 | 599a0159cd645ca31365dfd70d1e26f4819a5a547f210c6261f18a85e82ded35 |
| SHA512 | af57a372e925940cb61e91699a42a571599ed8da033cf2f9dadd436154f6200a84d2ac1db2a7d4f51c2bc1a634b200040856c222e299eaf5ac0a03150d651fd4 |
C:\Users\Admin\AppData\Local\Temp\RESB48.tmp
| MD5 | 6a25b5ff4389f99c778462ed54308aae |
| SHA1 | 3e55a4a43d919e9ebea10562373769407e8f414e |
| SHA256 | b6965ee049aed82e44097e6833c481172b9183a6ad36be687c54054b34b4c1ca |
| SHA512 | 0bf6f7f2281079cd317031e00196a561a67428aa1e409890cbbd76e1a72e8600aab667205c67e38dcbf378763a4984ff84afb91cbbfb988a9a9b9414688137c1 |
memory/856-18-0x0000000074590000-0x0000000074B3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe
| MD5 | a89c21913c18a815481ab5e8c1c7ce26 |
| SHA1 | 38d0e30a4890cea1dada8d3fd165da7d915ebf16 |
| SHA256 | 3fb1f53a438fbb21fa69c69d059bdcc85ced37ca7a33cfcf4ff76ab7360b924f |
| SHA512 | bab3527469c6bdad04ae49d6cc4fd6c49f68dcc5a83de36c038eb320ac78f45f58a3187ac33866d84aae7349add5f3d4db17c21da75a0a5b44b73f2a2c3b93b5 |
memory/2296-24-0x0000000074590000-0x0000000074B3B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 10:28
Reported
2024-11-04 10:31
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe
"C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wskgvt_4.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE70.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF7C37DAC65BC4F5BBE9B0D0A97B13B.TMP"
C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/808-0-0x0000000075382000-0x0000000075383000-memory.dmp
memory/808-1-0x0000000075380000-0x0000000075931000-memory.dmp
memory/808-2-0x0000000075380000-0x0000000075931000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wskgvt_4.cmdline
| MD5 | 10058be852250004f29d747a32ab5b34 |
| SHA1 | e0814fb2afe88815fcf0b74f889ba491b5cac240 |
| SHA256 | eb88c6b580336aaefac3ebe1e27c82c8b238849b73d7422da4fc3eb75e471727 |
| SHA512 | e59d99f8dee3299fc490301492df6229e1fad4cc3c93b2c3894d331285e08868836a2158936cb62153e0d58ea7d1913ef1c922c68cfcc284142a3a2796d949c8 |
C:\Users\Admin\AppData\Local\Temp\wskgvt_4.0.vb
| MD5 | 5347c81dad1f652c8729004b7274b05b |
| SHA1 | 87f44809ef6309191620a9a28c6c3903efa7ad84 |
| SHA256 | 1cba504b34bda31ae6b3294c7df885a255dd4d34cd84cfedade52a2eddfb518e |
| SHA512 | e91173edb28802b38d5a8be6bf5a7a9cddaace49912c4facae735df395b0edf5413d61657cf140b45a5b8401674d2fea947cfbc8c6fa49e918f1ebe2d9121bc3 |
memory/4672-9-0x0000000075380000-0x0000000075931000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 484967ab9def8ff17dd55476ca137721 |
| SHA1 | a84012f673fe1ac9041e7827cc3de4b20a1194e2 |
| SHA256 | 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b |
| SHA512 | 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7 |
C:\Users\Admin\AppData\Local\Temp\vbcF7C37DAC65BC4F5BBE9B0D0A97B13B.TMP
| MD5 | b2f595763357c2a35f6b54e86a71a435 |
| SHA1 | 1a6b4a6b1ba061cfdc6b3e15b6f0012b13c930d4 |
| SHA256 | 443fc11021a172a4d5a94d9b8a1f094e5082502f2fd4e1da120a10fa05b25aac |
| SHA512 | b5f5614ea5fab402636b0975bdc887f497f4a664d51ee3d804abd50682df6baec4f6010bae65ed283a875333aeb03d03ed4f00a0c97910f9948838a407198d1f |
C:\Users\Admin\AppData\Local\Temp\RESAE70.tmp
| MD5 | 3be568d554a5055d71410b986badb885 |
| SHA1 | cf1b674c185e4a3abcdc45111087f03c13d25840 |
| SHA256 | 59bd784b42db65b8858f96845064b8c469e22bffdfcd0b28a948acd2812ce1bc |
| SHA512 | 69999acd0cd6e57af9adb997deebbb576b1120933fba2663282cbd0ee880e49179cc75428bb272f932b26ff76f4722920ca8c5b3141ec334dc2f8a2822b6434b |
memory/4672-18-0x0000000075380000-0x0000000075931000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe
| MD5 | 5b4b4942af26646f42355d2f34dc6138 |
| SHA1 | 132d42295bbe9f9adf95f7014dbe13117845a696 |
| SHA256 | 92029be24e8d8e40d8e9c06995c8d232e029590df2f3854d5016b53247ef10d3 |
| SHA512 | 5b25df3b978f2b30249a63591fbc8391ab3e9693b556d1e59cc6ded7fbe1cd05074cedb1bb846331095fafc66de229d1f046608da8c966cc2f25c2863587eee8 |
memory/808-22-0x0000000075380000-0x0000000075931000-memory.dmp
memory/2804-23-0x0000000075380000-0x0000000075931000-memory.dmp
memory/2804-24-0x0000000075380000-0x0000000075931000-memory.dmp
memory/2804-25-0x0000000075380000-0x0000000075931000-memory.dmp
memory/2804-26-0x0000000075380000-0x0000000075931000-memory.dmp
memory/2804-27-0x0000000075380000-0x0000000075931000-memory.dmp
memory/2804-28-0x0000000075380000-0x0000000075931000-memory.dmp