Analysis Overview
SHA256
bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c
Threat Level: Known bad
The file bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c was found to be: Known bad.
Malicious Activity Summary
Metamorpherrat family
MetamorpherRAT
Deletes itself
Executes dropped EXE
Uses the VBS compiler for execution
Loads dropped DLL
Checks computer location settings
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 03:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 03:38
Reported
2024-11-08 03:40
Platform
win7-20240729-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe
"C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\72mwkkkl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C58.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C57.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/2500-0-0x0000000074B41000-0x0000000074B42000-memory.dmp
memory/2500-1-0x0000000074B40000-0x00000000750EB000-memory.dmp
memory/2500-2-0x0000000074B40000-0x00000000750EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\72mwkkkl.cmdline
| MD5 | 9ed26216a1c52f28b98f358bd52b16c9 |
| SHA1 | 09e014ca48e4426a1cb71aa901f81fabdbe16544 |
| SHA256 | 308901ab14592053b21d3d84bb1b6626ddb0bce3d4996aa049848b28457dc9f9 |
| SHA512 | ef3cdffaa68b3e4c642c01d588f5bf24300e4d7219839e42fbad6e0fc4a664551e3a5992af9f1770fed9b032c1764ded18501523c96c229374aaf77f57fb6d1b |
memory/2152-8-0x0000000074B40000-0x00000000750EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\72mwkkkl.0.vb
| MD5 | 0d87efd3bf789ea1388afd8c657dda7c |
| SHA1 | c70dde37862fa6d9a0948220d9c4aa5992f592cc |
| SHA256 | 92d4e1b3f6a4ac4f7c89790acbda3d14a98f890b35a18aa3b4737cf3bdba3293 |
| SHA512 | be99f1537a9eedfc68db76049760de638d5513df95e918a2f753d90bf601bcc37d5c5910907c3b2eaaf7e84444a7b4942709d83134abac9e1939e8b203110169 |
C:\Users\Admin\AppData\Local\Temp\vbc1C57.tmp
| MD5 | 082d67428a6a60aa2dc512e96ae12064 |
| SHA1 | 031e0db6ce22846bb85bef249d9e230e4b91255d |
| SHA256 | 2b9462d97501b9e80543a6cc33673dd09f20a722eae7376875b71c3481de6b71 |
| SHA512 | 3733acfb8c4bde9cfeca397d2b3404300886885f4882f6809351f364312e094b2b76343525d373a16d3b71bffc32b4961bbd11161f3be93548fbe3acbbdfc7b4 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 484967ab9def8ff17dd55476ca137721 |
| SHA1 | a84012f673fe1ac9041e7827cc3de4b20a1194e2 |
| SHA256 | 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b |
| SHA512 | 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7 |
C:\Users\Admin\AppData\Local\Temp\RES1C58.tmp
| MD5 | 3d18c4bf297e3c21417bc5349bf4ea52 |
| SHA1 | 3197aa74bad9a7f222a3d212a3893bbe41425123 |
| SHA256 | 2d43fbf6384a2d76d29abd7b5dfaf471110a559b86c8b716fb44d3ed74ba8740 |
| SHA512 | 29e9fbffa5329ee7b40a6f8ef95d7c653a74ff6da7d5066028500dc8e497382d841b3020cf909cd6e49b8ed25f3d35acd8805a68c46e9f208802416fd5d32fd6 |
memory/2152-18-0x0000000074B40000-0x00000000750EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe
| MD5 | e0811f39f65b0012f3f5ce845cd22663 |
| SHA1 | 4f0a24b5a91b65f678110769358971b00f8ad731 |
| SHA256 | 82fb922fc3b46ef868068ae49d9221b6a0f79dc99dec6ef37239a2a54eca1f2a |
| SHA512 | 91b0e9524d04e132e50bc10a26d8f67a1bc57010332b095e90c10ea463a0a33c50f4834e48059e502cf595d2fe3d55fe098a610ce6720ac8aba4df5f28f7cd1d |
memory/2500-24-0x0000000074B40000-0x00000000750EB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 03:38
Reported
2024-11-08 03:40
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp880C.tmp.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp880C.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp880C.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe
"C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zhxtg5ue.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8993.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B52B48F1B4E4D188A304A5391916826.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp880C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp880C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/316-0-0x0000000075182000-0x0000000075183000-memory.dmp
memory/316-1-0x0000000075180000-0x0000000075731000-memory.dmp
memory/316-2-0x0000000075180000-0x0000000075731000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zhxtg5ue.cmdline
| MD5 | abf973e5e526f409945b0fb9c1b6f324 |
| SHA1 | e05cd7bc019e5d72621f8d46ade61994b1683863 |
| SHA256 | db67e04fa47117aa6794f7ed82eccd7962700dd664aebc7ca8788df8da8fd7c1 |
| SHA512 | 5b96ea7b2730ac262add0dd941d04b2432808e5ca890375ad2b68642a1a1153b58ba8e6a84b9e19749e16791d0231521697b83542860b05ac75c2458ba83de73 |
C:\Users\Admin\AppData\Local\Temp\zhxtg5ue.0.vb
| MD5 | e2b5238cdcb9e68ca8cf321e1dd3908a |
| SHA1 | cbed5742648821f7eb9b0e19ccce525bd499cd42 |
| SHA256 | 501cd165e01d6091f44d2bc3b92302f4ab8b3c34e44b84351f86b267d484e203 |
| SHA512 | 5b7274232cea5c04753c248668f46f7111e311643600705aa304c2617c17d38dff241c35d4164478ee1bec58ea782c976f23a353b30bb339d0c08f497049cd42 |
memory/3348-9-0x0000000075180000-0x0000000075731000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 484967ab9def8ff17dd55476ca137721 |
| SHA1 | a84012f673fe1ac9041e7827cc3de4b20a1194e2 |
| SHA256 | 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b |
| SHA512 | 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7 |
C:\Users\Admin\AppData\Local\Temp\vbc5B52B48F1B4E4D188A304A5391916826.TMP
| MD5 | ea7176beed2fc1d6baf8bf502c8cd35e |
| SHA1 | 3ea8d18fcf41838b5612a3e5e60e37dceddd626d |
| SHA256 | 19daa65b2aea2a55d8b8e086b985b452cee1bebb84d234f5fbc6ab6faecec978 |
| SHA512 | 6d7b339648ad1177ede16df40bea1b346f61f0874202590ef79c5028d2d7d736d6be93484cf6943e167bdaca75951241d1560b3e31a0a4c2b6acc43a30190472 |
C:\Users\Admin\AppData\Local\Temp\RES8993.tmp
| MD5 | fbc8a143bc1306b87ce8feabe6b610db |
| SHA1 | 5a01450709228e6c0049b240fb421c7c1fa163ba |
| SHA256 | 834ec5bdd3f017812b8284058b7adc13341971307df2fa38023ff0e5874b2c1d |
| SHA512 | 43e6ea6f7d093de0380e670ddbb016cb6f69d5d4489bb6988ab585aecddaf8cf7d940e406aea28026b5bfeab519dc0a4219253ed755535a83cddcc30b16a1cef |
memory/3348-18-0x0000000075180000-0x0000000075731000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp880C.tmp.exe
| MD5 | 3b932380a022371e3dd167b6e09fdadc |
| SHA1 | d3fc1161f62ca83b1ee838f8bc9ef269c1640df3 |
| SHA256 | a95f55fa32de128bec80357fe9542b5ea9c2b680665e7c393a9c64123cd582c6 |
| SHA512 | b427e98b0159a4d22779e4ee9dfae9c38424d424e5891032331a52c2686d462c925971025cb4b1c778c4b28eba1d09020a7e0a056605e18084e62cfceb256e8d |
memory/316-22-0x0000000075180000-0x0000000075731000-memory.dmp
memory/1780-23-0x0000000075180000-0x0000000075731000-memory.dmp
memory/1780-24-0x0000000075180000-0x0000000075731000-memory.dmp
memory/1780-25-0x0000000075180000-0x0000000075731000-memory.dmp
memory/1780-26-0x0000000075180000-0x0000000075731000-memory.dmp
memory/1780-27-0x0000000075180000-0x0000000075731000-memory.dmp
memory/1780-28-0x0000000075180000-0x0000000075731000-memory.dmp
memory/1780-29-0x0000000075180000-0x0000000075731000-memory.dmp