Analysis Overview
SHA256
8a4d6138ab5751bdf110ca246ddbb916a3e0509d3d4a7ca38f68def1dc40601d
Threat Level: Known bad
The file 8a4d6138ab5751bdf110ca246ddbb916a3e0509d3d4a7ca38f68def1dc40601d was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 00:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 00:19
Reported
2024-11-10 00:21
Platform
win7-20241023-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6D63.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a4d6138ab5751bdf110ca246ddbb916a3e0509d3d4a7ca38f68def1dc40601d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a4d6138ab5751bdf110ca246ddbb916a3e0509d3d4a7ca38f68def1dc40601d.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp6D63.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8a4d6138ab5751bdf110ca246ddbb916a3e0509d3d4a7ca38f68def1dc40601d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp6D63.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8a4d6138ab5751bdf110ca246ddbb916a3e0509d3d4a7ca38f68def1dc40601d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6D63.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a4d6138ab5751bdf110ca246ddbb916a3e0509d3d4a7ca38f68def1dc40601d.exe
"C:\Users\Admin\AppData\Local\Temp\8a4d6138ab5751bdf110ca246ddbb916a3e0509d3d4a7ca38f68def1dc40601d.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i6e7h1sp.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E8C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E8B.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp6D63.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6D63.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8a4d6138ab5751bdf110ca246ddbb916a3e0509d3d4a7ca38f68def1dc40601d.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/3012-0-0x0000000073D71000-0x0000000073D72000-memory.dmp
memory/3012-1-0x0000000073D70000-0x000000007431B000-memory.dmp
memory/3012-2-0x0000000073D70000-0x000000007431B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\i6e7h1sp.cmdline
| MD5 | aa96878f846a2f5d04f4f1d6ddd54824 |
| SHA1 | cecca4e0b1bacbfbab678999cdc6998b67e208c1 |
| SHA256 | c36c06ac91518dc52a8fd877eff39e3057838b89fc2270ca07dfef3234655eb4 |
| SHA512 | e6f9c4ac91d93ec0991b7e6f1451de3031d69c14969479eed53115594226761a532407cc161868fc37c623bf627786f9f4cd554f7cb638ee497f2e6699540976 |
memory/3024-8-0x0000000073D70000-0x000000007431B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\i6e7h1sp.0.vb
| MD5 | e1965564babcd1484ccc4326e9291367 |
| SHA1 | cb59932b899ed0efc7def9b989ad1726700353ec |
| SHA256 | 0ab76807703e7c0e4137740cef5fdef8bdf6e20447bc4aa74fb8065b798c3cd5 |
| SHA512 | ef5d5e6a2fd8e5152e55a209c875fe3d6208b420269d1a00120417eb5c51579245fe989880710bbe24c68ea41fdf8fd0a183489c949e2537b7f742cdbabf3b48 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbc6E8B.tmp
| MD5 | c7f58119c48c78589b8ba517e6a08df0 |
| SHA1 | 9b380a603a0eb9eed5ae4c0fdf7165e32e715c58 |
| SHA256 | 9fa113f49e99e9ae07d3edc08d653dcedbd91059a333cd5477ef3151cf3bc893 |
| SHA512 | c81777af1c371bb3749f4d5905eaa9b6ff49719d898e3b42f1bdf94f9a1522f399441152349c43b8e9d90eec0cae5e317cc253ee0f9bc493dfd5d6cdf1e59f42 |
C:\Users\Admin\AppData\Local\Temp\RES6E8C.tmp
| MD5 | 059a599e6f8d5c1ac1002024685cae38 |
| SHA1 | 68dd4c659b235abaf77b862be8f914fab49b6170 |
| SHA256 | ba037ed80d9f03e39181960e89479e5cae05e39ae6142b8abe7791a0ee9bb47f |
| SHA512 | 70ec29725240b2c48b6a996b9f5c3c9312fb30446432df1564a40e253b4e134308da1321cafe7421886ed32d4636381552380b3d7442440f68065a366df2091d |
memory/3024-18-0x0000000073D70000-0x000000007431B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6D63.tmp.exe
| MD5 | 5440927ea92521b03bcc84b344bee317 |
| SHA1 | a7b24a124d2e3b10434ef5eebea4d06fa86be125 |
| SHA256 | ecb1a23225f29e05875698fc21419502785e06ab9b1d5c16cc3150549b0a7893 |
| SHA512 | 2433c52e8060d592bcc142dee6968cd771cacfbb5f1b45de437419025e107e0f8c11f72cb135514755bbcbe0c36dccbf2f1a23e8ce5ecf1ac4eb5a4d3cff5b38 |
memory/3012-24-0x0000000073D70000-0x000000007431B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 00:19
Reported
2024-11-10 00:22
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8a4d6138ab5751bdf110ca246ddbb916a3e0509d3d4a7ca38f68def1dc40601d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpAC6C.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpAC6C.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpAC6C.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8a4d6138ab5751bdf110ca246ddbb916a3e0509d3d4a7ca38f68def1dc40601d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8a4d6138ab5751bdf110ca246ddbb916a3e0509d3d4a7ca38f68def1dc40601d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpAC6C.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a4d6138ab5751bdf110ca246ddbb916a3e0509d3d4a7ca38f68def1dc40601d.exe
"C:\Users\Admin\AppData\Local\Temp\8a4d6138ab5751bdf110ca246ddbb916a3e0509d3d4a7ca38f68def1dc40601d.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yiasci_m.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC1C1610989BF4D959A2D27ECC338DD59.TMP"
C:\Users\Admin\AppData\Local\Temp\tmpAC6C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpAC6C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8a4d6138ab5751bdf110ca246ddbb916a3e0509d3d4a7ca38f68def1dc40601d.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | tcp |
Files
memory/4988-0-0x0000000075382000-0x0000000075383000-memory.dmp
memory/4988-1-0x0000000075380000-0x0000000075931000-memory.dmp
memory/4988-2-0x0000000075380000-0x0000000075931000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yiasci_m.cmdline
| MD5 | 8ace35f4e5472d6a258ab2fb31ec8dcc |
| SHA1 | 4fb84eb323b54647903535adc5a69c6a01658b05 |
| SHA256 | 2434fcec1c7e96587ee8b9ecfa73410d06700790884a422d1edfa20663b1ada5 |
| SHA512 | b1416a613dfda45f5be7286e34aa1727cc0be268b942cc653057992a6ab4f81f84f2ac8b5c9498e652f868472e98b3491f761e1b92638db4aaf64642d5b9c613 |
C:\Users\Admin\AppData\Local\Temp\yiasci_m.0.vb
| MD5 | a39b959bf8a0162544c011213112b5d7 |
| SHA1 | 62337720138fc7695ccf1c299b4c2dc6c634499f |
| SHA256 | 4c4cc5b8a5f48a0b5d6d4d481f9c152250766e48ecacee36c349dab8c0e9916e |
| SHA512 | 4436087b4294f47b5c894e95ac08051832a59d1757a19eeaa38c0a5a99c17566c5d821fddb46fa8dd47c1113dc563e91127db05a7569a436d9e6bc8252af5a2a |
memory/4176-9-0x0000000075380000-0x0000000075931000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbcC1C1610989BF4D959A2D27ECC338DD59.TMP
| MD5 | dc757ca3bc357e0fe0704b12282f4fd2 |
| SHA1 | 8860eb54e9cc4c70a9a6f74667823d52f7a4641e |
| SHA256 | c48aa42071878e50ff68fa58aabfac0b06033886525569f427c13ace11edeb7f |
| SHA512 | 96bb8bd653ac0cae7ebbdc63ac7d44be7e42041ee8e90a8b641b2c460dc74c89df7ed8525e84bdc734f478f2d298b49e722cc091b041c44dd9cc5438adde288e |
C:\Users\Admin\AppData\Local\Temp\RESAD76.tmp
| MD5 | 612ba02722b94b65c575ec08154d712d |
| SHA1 | 02eba725489c26f99c5460bd6567f5e251db5057 |
| SHA256 | ce4ae9cc6211cc53c91efbdd3e074aafb44ccd5da2e346a0531bcb4a76753ca7 |
| SHA512 | 635650bcfed1095c701d63cd5d12f012fcc4397ba55de93fc68d670f915b8fe00ac3f67f0cc6c76d53df5fb5056be1aae661f368fda9ee91fbc653a6702e52a4 |
memory/4176-18-0x0000000075380000-0x0000000075931000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAC6C.tmp.exe
| MD5 | 5ab426fde4a8b7f1ce73be521018988f |
| SHA1 | bba0e25fd638f63c400cda90b793ab9407d40411 |
| SHA256 | ba2a958c718c64a6b9d237194e2172fbd723145e00e9a38def2a928b194226f7 |
| SHA512 | ccfb934eb6008ef0479032911ff12d14ffae61c194043c43dcfa2656ce6fd1f0ca164fd7f426ab4f5dd0c14e72aa660e1a830d567c4d8dcf1940c80f3dba1b6c |
memory/4988-22-0x0000000075380000-0x0000000075931000-memory.dmp
memory/4976-23-0x0000000075380000-0x0000000075931000-memory.dmp
memory/4976-24-0x0000000075380000-0x0000000075931000-memory.dmp
memory/4976-26-0x0000000075380000-0x0000000075931000-memory.dmp
memory/4976-27-0x0000000075380000-0x0000000075931000-memory.dmp
memory/4976-28-0x0000000075380000-0x0000000075931000-memory.dmp
memory/4976-29-0x0000000075380000-0x0000000075931000-memory.dmp
memory/4976-30-0x0000000075380000-0x0000000075931000-memory.dmp