Analysis Overview
SHA256
d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0
Threat Level: Known bad
The file d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
Uses the VBS compiler for execution
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 19:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 19:55
Reported
2024-11-03 19:57
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpBB70.tmp.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpBB70.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpBB70.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe
"C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cjl53v58.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34A3DBDE2F954F3884EEBA712E71CAD.TMP"
C:\Users\Admin\AppData\Local\Temp\tmpBB70.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBB70.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 8.8.8.8:53 | 150.144.22.2.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/1860-0-0x0000000074E62000-0x0000000074E63000-memory.dmp
memory/1860-1-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/1860-2-0x0000000074E60000-0x0000000075411000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cjl53v58.cmdline
| MD5 | 27edf1e31ce1443a3fc0c88dfab7ce12 |
| SHA1 | ec21817ecca4b7227f557d426d6f1a2459c5161c |
| SHA256 | 667779084916ee21c046670f544dd59de4fefa6ebf9ed8813321365bcf2e98ab |
| SHA512 | 24457548ce1f3b522f80f8b622f3184cbc5b7f1123732b31911458a35f4a6dbe2e8bd71c0b0ba2ac78586c341c4de1b7032372788211565a53042eef67876aa7 |
C:\Users\Admin\AppData\Local\Temp\cjl53v58.0.vb
| MD5 | 46172151fc0cc7e390a5b63d011c75c9 |
| SHA1 | 73944350e6bbf8486f7f3e4a7f61b7af8b457a94 |
| SHA256 | 43f420644e64127644c91ccfb542404e8dba39b0e0f35a563a2adad2dc12a8b6 |
| SHA512 | c1a10f8ecb2aab7543379be0c0d95b940dfac2eabe7ea2f65c0d9609d7585a57d673b4e7a061fec1e75c0f9fb66ee6976987d33c2810663e5913007a30ae39cd |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8008b17644b64cea2613d47c30c6e9f4 |
| SHA1 | 4cd2935358e7a306af6aac6d1c0e495535bd5b32 |
| SHA256 | fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55 |
| SHA512 | 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea |
memory/1932-13-0x0000000074E60000-0x0000000075411000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vbc34A3DBDE2F954F3884EEBA712E71CAD.TMP
| MD5 | 881a01e1e57e233b14bb290ba0f55760 |
| SHA1 | 616c29f9712661fab95d871f1d4a387cdfef7805 |
| SHA256 | 55536805cefd8f4b2065762a5b44167840b282b903b984a28f7e00b1d87ab1a4 |
| SHA512 | f75af192fad8960455d24d24a47c6483924f90f758b4f9dc74246e2bb2ec11e14e3664f5b4854fb8102fb9a9a4c8dc508bbc002033cf1bf4fb70cf69fcce697c |
C:\Users\Admin\AppData\Local\Temp\RESBCF7.tmp
| MD5 | 598938f3a33353d19e48d8b4294f1212 |
| SHA1 | 71b3c8528bad19114af1770182f25d81638bfad1 |
| SHA256 | ccfd27f052b02bb00efc5c960980671c72fef5c0d49b9f5d1003b642e81c297d |
| SHA512 | af5e4f4a3c696a5aa815c2a64626bae639b6786ed3c642f6bcc3c6f89b602f6aff86a816d14f6258edbd64fcb9910fd381f3f726daa9dbc28ce9106dcfc8e1a8 |
memory/1932-18-0x0000000074E60000-0x0000000075411000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpBB70.tmp.exe
| MD5 | be3dc4bea0173f8b1e764d3848ce64e0 |
| SHA1 | 1aa62c30dabdc03b28a2674ad284d6b759c92553 |
| SHA256 | b9bd7966d04a9d63c7a62a4ba92728d68de7d634349adf27c4c52513337e806c |
| SHA512 | 1179cd590d059b9eda1e66d9d212f4d45e85eeb7be924b89f84637af6692331c30cc3a6f54c3fdbcbd06287c80747e2a73064dcb499fb8598b57ce8db4ac89e9 |
memory/1860-23-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/5032-22-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/5032-25-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/5032-24-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/5032-26-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/5032-27-0x0000000074E60000-0x0000000075411000-memory.dmp
memory/5032-28-0x0000000074E60000-0x0000000075411000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 19:55
Reported
2024-11-03 19:58
Platform
win7-20240903-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe
"C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lgrr3xm0.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES510E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc510D.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | tcp |
Files
memory/2856-0-0x00000000747E1000-0x00000000747E2000-memory.dmp
memory/2856-1-0x00000000747E0000-0x0000000074D8B000-memory.dmp
memory/2856-5-0x00000000747E0000-0x0000000074D8B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lgrr3xm0.cmdline
| MD5 | 591105bbd42ff5ff59961340c3f4e372 |
| SHA1 | f101b0ac017e8730e398bc39b2e6b49a8b08cfb5 |
| SHA256 | efeaf23df08588f7a16d9b94031f1d487842ebd80772d0b07f097e9b6639397b |
| SHA512 | af854cc269b591e1ad0d881fc4450fa89e8c2af976a58e15349a4b6b95b395fa113eae7d0db0f5109b2d4de69825efd19758ed9f02a6a16ccf6e448b6f5a519e |
memory/2672-8-0x00000000747E0000-0x0000000074D8B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lgrr3xm0.0.vb
| MD5 | 62aa908a6c78c20cea4fce1addd24f98 |
| SHA1 | 43faad2007912153f1bde72d7efad665727404fc |
| SHA256 | e0c769a2202741f69b68b82cd60abcf2098e42183fd517a834f9c102dd8e430e |
| SHA512 | caac3078b2ad64a9efcede9985c8312debe72e344f46e6ac155a06b15e810e9a4109c665d12c4a6d5cdc1820c64d4071218a0c38f88e4da78abb90785264f604 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8008b17644b64cea2613d47c30c6e9f4 |
| SHA1 | 4cd2935358e7a306af6aac6d1c0e495535bd5b32 |
| SHA256 | fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55 |
| SHA512 | 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea |
C:\Users\Admin\AppData\Local\Temp\vbc510D.tmp
| MD5 | 79a5c199a3e8e06d58a0d85f7f742373 |
| SHA1 | 32580c3df4c02098749794260f395b53dad15460 |
| SHA256 | b506630fd777212428dbdd5294683f30626eeeb4b21c2d02033d444301985bce |
| SHA512 | a45fd0887d17e6c64e191e9db023fc09936f283c8a114ae2413add16ab4dbefb9b46c5f50f70ace2444adfc213f71d0e034d3977d11f25aa239fe797d2630fc9 |
C:\Users\Admin\AppData\Local\Temp\RES510E.tmp
| MD5 | 94044b0f33c7670e805c7347e893fc6e |
| SHA1 | b1634ef609f2071740c73ff2d2edbe2a96262059 |
| SHA256 | 916ad5185300955d15bf8b8bc9c69f4e3aeddb0dfbac28d6c22fcd57f6a37936 |
| SHA512 | 4fbdb5a51bc0ea181e41eb23206fff0908c92b489a46157da39117156c16a2165b140f134113fe67f10e976daaca464d77259e8417ac29b71f22897fa698d440 |
memory/2672-18-0x00000000747E0000-0x0000000074D8B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp.exe
| MD5 | 1f1a2612a30efa0954959920463f2926 |
| SHA1 | b0ec7ed0956e431fb76c35a8fcf4b82ee057b5a5 |
| SHA256 | de714a93e6dd3913d05551b9bee429cd28be00cccd5818d16e5f17ce19dd6bf7 |
| SHA512 | f628b7aaffa0b588753736a77212f5917c95b5d77cda485a050ccf9f5ae1ffdd47c75165e0d56d6b8411691e2681c5e9b490c2fea0ca378b718c427a9f100037 |
memory/2856-24-0x00000000747E0000-0x0000000074D8B000-memory.dmp