Analysis Overview
SHA256
2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623
Threat Level: Known bad
The file 2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:56
Reported
2024-11-09 20:59
Platform
win7-20240903-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe
"C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fnvjqh-q.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C54.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5C43.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/2668-0-0x0000000074891000-0x0000000074892000-memory.dmp
memory/2668-1-0x0000000074890000-0x0000000074E3B000-memory.dmp
memory/2668-2-0x0000000074890000-0x0000000074E3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fnvjqh-q.cmdline
| MD5 | a777ed8e274fe3cd01cca2e2a47ca250 |
| SHA1 | ce52b5b73e01024fea066a3bba00ba8a14e2c5f1 |
| SHA256 | d4f06387cbc71ee5c311e9aa1c4e9dbf3ff202ff01a175188f254e6cea13a752 |
| SHA512 | 49cc9bae5189a946668df547a25b1cd152a237501fc404f590d2311ba242bcf1f55b93f7c2ee8499c177e9ef19c57db30032589bc7086d6bb2c026cd5331412d |
memory/2740-8-0x0000000074890000-0x0000000074E3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fnvjqh-q.0.vb
| MD5 | 798d702731e64f06a4caced619033d3d |
| SHA1 | fbea0ffc6827fc3a8a30a26148757d9ad241d8c2 |
| SHA256 | 7604bcf711d578d76d5155f85d02ac2c85afd8c243e8587128a79aefea799e70 |
| SHA512 | a9e0d8ed5f60a3484e161c93265d65a8825abe1a7f7439aa775c98e8b9a8acd59b48fb048794ba7d1dfce53559b7d7558abea1c6bc3e9341d76b95a9816db17f |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbc5C43.tmp
| MD5 | 1fb1ac606b89b5d98878ea0938ce2609 |
| SHA1 | e116c69dec9397109f5e2b1b83362952e1d48319 |
| SHA256 | 25969d2f5e0e7f976416459ac989395c09801a83ca670481d5f4d31d83596b1a |
| SHA512 | d2b6f3fe0b909f6091fa9ffd8e5bc3dfda08e60c05a60043000719dd73b05841e360e6e9718b4ceb06dcad7b0e45b1a9a5847fe7515384c8a81aa386f50a79f1 |
C:\Users\Admin\AppData\Local\Temp\RES5C54.tmp
| MD5 | e1af5adad05c5962325ed94528d068f3 |
| SHA1 | 80ed5ae86b87c5cf0514770fcc5138f9554747bf |
| SHA256 | 312aebe2c0fd6dce682d19721614df1f97d62b0bb81ec8893b27208541c9a6b2 |
| SHA512 | 1d2b1962f7add9680d9ff70ecebf25294af827855ec9d9c64831b74e36296ae0ac1c2b5d4c82ae91cf3d106b06ac5d0426bb084f45ee29f33781d4de34e1cb48 |
memory/2740-18-0x0000000074890000-0x0000000074E3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe
| MD5 | 60c0680ee4ae7bacdbef91e5bd4f0856 |
| SHA1 | 80cd65c64f3797710f6c181591af15b5335e9351 |
| SHA256 | 1fe6aa80927a7e4a90a3b35415c7c11858270c9f1ea7d78a703b75f7d2a37cbd |
| SHA512 | 65e9f535d40804ace0cda2f7d69c2564786ce2fce0372f288685443cc627b0e2b1833989375aff367084bb13f0985ffa3825ffbb88af6f0c8f868d241fd764db |
memory/2668-24-0x0000000074890000-0x0000000074E3B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 20:56
Reported
2024-11-09 20:59
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9EE0.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp9EE0.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp9EE0.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9EE0.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe
"C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wpvdlkmp.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA037.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc82902EE7A3E45B1A2026E2D01A9D69.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp9EE0.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9EE0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/3804-0-0x0000000074E42000-0x0000000074E43000-memory.dmp
memory/3804-1-0x0000000074E40000-0x00000000753F1000-memory.dmp
memory/3804-2-0x0000000074E40000-0x00000000753F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wpvdlkmp.cmdline
| MD5 | d6bbde586125665dd7b732d62291a743 |
| SHA1 | 721064e207589902339012ea91eb87dfab1ac4c7 |
| SHA256 | 8bbe589b1e0aa06b39bdbd37ed2a0835279f5f5cef85a25426f6b66158ad69a2 |
| SHA512 | 4d765b22380afde05f1222ffcb6189ee59fcb061accd5096fa8c7ca8d8d168734ea0290e8fb718d4f4934f9e6e9b63634c0c82d34119824d827cb796f39827b4 |
C:\Users\Admin\AppData\Local\Temp\wpvdlkmp.0.vb
| MD5 | f14bb07d79781c95993a477aafa78f9b |
| SHA1 | e6efea69d009c8834710e8af96b68b2af0545fb0 |
| SHA256 | 5716b2b1698c207be920366a718ffba0594bdc09e6281dab2f439c9cfc4ec44f |
| SHA512 | 55764542a7459cb647f8e3018a72e3bf7069b652924dffb2b9e3df10ef8e9eccbae8a0eb377ec482f3fb96db4d7add5f771f3f0064acef9c5f85bac0219ba86c |
memory/4784-9-0x0000000074E40000-0x00000000753F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbc82902EE7A3E45B1A2026E2D01A9D69.TMP
| MD5 | 57b9e3812d5cd63d8d7de68dc985e54f |
| SHA1 | 453666212d509efb9da219cbda194b74750eb011 |
| SHA256 | 937b80012481ef20ca5058fef22e27a682e0d6d8f82f098128ab52d362bad41f |
| SHA512 | 27ae7797600ead3a09e741f86944cdef2e707376b20e0801aae9b8bcd484616cf18da72ed81b66742bb9fb2134f26bdc1dc8c24640b486b892df1904c6067cbd |
C:\Users\Admin\AppData\Local\Temp\RESA037.tmp
| MD5 | 4476bdb4bd12cab7e66324b1b9c159bf |
| SHA1 | 43da41cb07ec53cc031d0f8d54ee273558c5c70e |
| SHA256 | c390150af295ca420695b119f201c453f9e070601e8edd9e793d470d17a592d5 |
| SHA512 | 30eaa4cb86fd8a6663ff4e6c068a486a3e2d8552bd42e888d07da659dad7cad929ac83d8ce1eef86127770ce740606f7b50541b6ff6c4e9504f669324e69475b |
memory/4784-18-0x0000000074E40000-0x00000000753F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9EE0.tmp.exe
| MD5 | c3323137730ba1d23159a8a98680248a |
| SHA1 | c47fa2a55ca9f7eb2ecebf0420b5dc382a946e5c |
| SHA256 | 8d10826767f14211c6ea379468a7c6e0ea9cd014be6fb11db011a3e0d41f1fb2 |
| SHA512 | 1d0e7a21df1fac1bafa9a2a7eb5a7c2d514d6a4de5040f3d870f7cfdf8581fc218c599a9136ea6f2249d7945bc4edecf3aef4494e8ad590a2feaf43fd15c26b1 |
memory/3804-22-0x0000000074E40000-0x00000000753F1000-memory.dmp
memory/3860-24-0x0000000074E40000-0x00000000753F1000-memory.dmp
memory/3860-25-0x0000000074E40000-0x00000000753F1000-memory.dmp
memory/3860-23-0x0000000074E40000-0x00000000753F1000-memory.dmp
memory/3860-27-0x0000000074E40000-0x00000000753F1000-memory.dmp
memory/3860-28-0x0000000074E40000-0x00000000753F1000-memory.dmp
memory/3860-29-0x0000000074E40000-0x00000000753F1000-memory.dmp
memory/3860-30-0x0000000074E40000-0x00000000753F1000-memory.dmp
memory/3860-31-0x0000000074E40000-0x00000000753F1000-memory.dmp