Analysis Overview
SHA256
b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570
Threat Level: Known bad
The file b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Uses the VBS compiler for execution
Adds Run key to start application
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 02:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 02:38
Reported
2024-11-09 02:41
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe
"C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c3njrxmt.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E526CA59D940FF8FCA129C2BB9D5A5.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | tcp |
Files
memory/1356-0-0x00000000749D2000-0x00000000749D3000-memory.dmp
memory/1356-1-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/1356-2-0x00000000749D0000-0x0000000074F81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c3njrxmt.cmdline
| MD5 | b224861c9f4cb83614ca312470943b7f |
| SHA1 | acf2deac748a8ff56fcff784819e1954db5af920 |
| SHA256 | 8de1fdd78601efe535872000dccbdda28ca58f5a24a26c68c8a8097320a94b38 |
| SHA512 | 0943aa3432a7c563907196f9b19d56dcb34100d6231b59d058534bb7ffd1e4d737faa686ff08d3267a69558338a556d08488af31b6702f1b7557a635445cb742 |
C:\Users\Admin\AppData\Local\Temp\c3njrxmt.0.vb
| MD5 | 6a76defbb4fc5df5c5e46d899f0fccfa |
| SHA1 | 31a6d35661beec3085b717709065a8d2b584bdb3 |
| SHA256 | 94900dc6f9878bab9c41f1a5baf994454e1c06d16355aad1f8d83af7fe06ed1f |
| SHA512 | a54becbf1bc564d8667a0884717e911b6fc66cba07db43d4f9b79844699623d27466b2dcd2502ee3902e3c6195105719d96a456709f0e25c084586cce4289912 |
memory/3484-9-0x00000000749D0000-0x0000000074F81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | a26b0f78faa3881bb6307a944b096e91 |
| SHA1 | 42b01830723bf07d14f3086fa83c4f74f5649368 |
| SHA256 | b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5 |
| SHA512 | a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c |
C:\Users\Admin\AppData\Local\Temp\vbc2E526CA59D940FF8FCA129C2BB9D5A5.TMP
| MD5 | c0dc8a76a6b8151727fd299fb8fcaf60 |
| SHA1 | eb4828088205baaf92cfc000534f045b0c7b5cfe |
| SHA256 | a01e63f95fcd953b8de23d44899af867ac98f7cb8dca8f069823512d70d19036 |
| SHA512 | 7c6532389098fb3686ad1444a2119fe9338c364d587077ede0d8a5cda5216f4c4d3e47d620609b22e847206313356db4258c7ef1a9d7622939ed85f7b1d91946 |
C:\Users\Admin\AppData\Local\Temp\RES9CEC.tmp
| MD5 | 8e2c7f76cbc182df78059f1898ef1665 |
| SHA1 | 33d82d4bbd6af7d21b14330dd556ca03672bc578 |
| SHA256 | bb47f0a7902e05b8037c438ff8dee464b5c1a36fa77ef59eade2b09574e29e30 |
| SHA512 | 00c8a4bf1b43bb2fa7cb442a42310416a90941c20deebc1f98719ceb9c9ecc455891d24e5aedf87c498442c019bce8e1287673ab258404ca39985a58a241f449 |
memory/3484-18-0x00000000749D0000-0x0000000074F81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe
| MD5 | e5d82fabd54cbc5bde7b290c23c9c3f1 |
| SHA1 | cbea914b90472a1fabca37633cc1ace928caf08d |
| SHA256 | fda04eaa80a2c637459804588eef207db5c54fcabf0155fc41b0a204fda996b1 |
| SHA512 | 73bf9d51990912a2c39cb5355f9c2ba7c589e39912149ee7fc299261a8b7c1908ca6c84f1a3efdb3561b0940fca9990b3ca5ecd42a39033f02e42d6c3104c44e |
memory/2360-22-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/1356-23-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/2360-25-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/2360-24-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/2360-26-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/2360-27-0x00000000749D0000-0x0000000074F81000-memory.dmp
memory/2360-28-0x00000000749D0000-0x0000000074F81000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 02:38
Reported
2024-11-09 02:41
Platform
win7-20240903-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe
"C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h-bp_grx.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB27E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB27D.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | tcp |
Files
memory/1292-0-0x0000000074201000-0x0000000074202000-memory.dmp
memory/1292-1-0x0000000074200000-0x00000000747AB000-memory.dmp
memory/1292-3-0x0000000074200000-0x00000000747AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\h-bp_grx.cmdline
| MD5 | 06d3c988e27ea3597ef67295a7b932ab |
| SHA1 | e4a409d2f23cec55cefbcb6c827f4ed0c12fba31 |
| SHA256 | a3d44a7821471955dc76f311233065e4a386a2f6d5d96460206a9c8bdf1449d6 |
| SHA512 | 27107a4c45f8029fde96d3d17bb53b356b6799bc64ace03f4095729e597081f0eee9e0a228e9def8b3cfd49db1ce919f45989a59454e92099af571a46cf06e76 |
memory/2548-8-0x0000000074200000-0x00000000747AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\h-bp_grx.0.vb
| MD5 | d39809f5b6c7dfca17cbe6b793f682e4 |
| SHA1 | ca75b3ca02800605d295fb086d24f51652a13bf3 |
| SHA256 | a1b800ac1307d169974a3e933334315455d97e17d57c43a23f5d75d48362fc31 |
| SHA512 | c56c41724beea1ad14df3d8abbe0dacd46ed695acbd1a6cb43e6beb173a6fcf8d411a4420f385fe1ca3b0bb534b4828f77002738cd2479377f144550d9fc828a |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | a26b0f78faa3881bb6307a944b096e91 |
| SHA1 | 42b01830723bf07d14f3086fa83c4f74f5649368 |
| SHA256 | b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5 |
| SHA512 | a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c |
C:\Users\Admin\AppData\Local\Temp\vbcB27D.tmp
| MD5 | 5e80f47a3ec03e1a06232bfbb1966184 |
| SHA1 | ddbadf7d102fc8c0db4b46b21249a6d4b0fe2e21 |
| SHA256 | 2f5e1046ce4d9f472b57e6ac1c9a8e53f50ec7e6c9d4f968198a2bbb00a37836 |
| SHA512 | 9a6a5835ac84d48458d573f94cb3f63b9fbf8848c8cd3615a942e0ad38cd12568b0ae23a1e5ed2660858a4ee27daf858fbe646cf600c32165d66d0295b8317b1 |
C:\Users\Admin\AppData\Local\Temp\RESB27E.tmp
| MD5 | 3405930fd5ffb4f888d239877e89ce26 |
| SHA1 | 0f547eb703f43f4f866f25e622e6adf0a9a1440f |
| SHA256 | 163331a96f6ddf1ea0d35e304a200ebe8c91c9406d6d1e3afdaf6081a37a64b8 |
| SHA512 | e4ab3eb79e26a0252f3085b86a6e0f95c8fb4c43bc05772eeeaf51e2cc295ba6f732d53a7c4b03772999a544e486f3d4da023cb8bc8ca2a9e8f9a2a8c5a80bdc |
memory/2548-18-0x0000000074200000-0x00000000747AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe
| MD5 | 939d261f432e07e1ba1d3d2abca61cf0 |
| SHA1 | cc6db01681c76c3edb3439a682f984548be042bf |
| SHA256 | a221a635c6ce41813adde90bd62190dfd8220a87df0913bc13cc3ce1cb71867a |
| SHA512 | ddb0a5c09e9ce920671b04bab3833b7c4cad87948c3b98f48c45ead5b74cddc5f56050ec0b3955c5de3b326e54ee7144494261e24bd8939b8e3429bf4de512c2 |
memory/1292-24-0x0000000074200000-0x00000000747AB000-memory.dmp