Analysis Overview
SHA256
94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52b
Threat Level: Known bad
The file 94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
Executes dropped EXE
Uses the VBS compiler for execution
Deletes itself
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 03:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 03:01
Reported
2024-11-09 03:03
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe
"C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_mym-pfs.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9078.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc463D82C58CBD4FD3976CF844EC8F32.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/1720-0-0x0000000074A52000-0x0000000074A53000-memory.dmp
memory/1720-1-0x0000000074A50000-0x0000000075001000-memory.dmp
memory/1720-2-0x0000000074A50000-0x0000000075001000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_mym-pfs.cmdline
| MD5 | 48e6332a5b083340f2456bb101e2cbb1 |
| SHA1 | fadac5c608d61e623e308d80d2136e1c47066426 |
| SHA256 | 4d477e06a356f276311772ac10cc405d976b0606ff4a32f07cd7af84a9ba535c |
| SHA512 | 09decf5aeb33c4c34913f667c7b4885b201760b1cf2b55ee72f3663da2ca723b112fbd558a843521cbe7c832301f095ec505331801a0efc80806824befcd8533 |
C:\Users\Admin\AppData\Local\Temp\_mym-pfs.0.vb
| MD5 | 598fe73a88949020ddfe50870da65e9c |
| SHA1 | 3469fa4c76c4cf7ce2eb9b941be921114d8b1eaa |
| SHA256 | 3a0e832857ab9435c86973bc82eaf737f67ba7e71ef959708cddee28cafda97b |
| SHA512 | 3bc602afcfa0b96ae6927e3f23e4cf3b54eab3ab63e9c37dce486ab47c6204f30aa184d06fad191514d879d38737c32d4bd0ae5ea204c921b3fa3e2fb524651c |
memory/2756-9-0x0000000074A50000-0x0000000075001000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 6870a276e0bed6dd5394d178156ebad0 |
| SHA1 | 9b6005e5771bb4afb93a8862b54fe77dc4d203ee |
| SHA256 | 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4 |
| SHA512 | 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809 |
C:\Users\Admin\AppData\Local\Temp\vbc463D82C58CBD4FD3976CF844EC8F32.TMP
| MD5 | 6de6752b6791f328c5a6d8182f86d477 |
| SHA1 | 19207a69bc05f7ba23afcb00d802b630b730e68d |
| SHA256 | 5b63520b52b463298f2c806f00dad110f4804a37a73324bf29ce3bca2024929b |
| SHA512 | 7c4b4dc1208488a90a96f76fb7cd3ddcdfc1f932bd761f75e9be412debbece8c8ba34410461a5b4d1094ed4646336806aeade935ef671b082efee01effa8567d |
C:\Users\Admin\AppData\Local\Temp\RES9078.tmp
| MD5 | 9490099935311c99874b93437e019ad9 |
| SHA1 | 6d0f5963cfc9fef721b9f67ab8fcf58e831c489d |
| SHA256 | e4681c931446027ad5862ff8db3f1cafeca3d12d228a411a5add5248534d84ff |
| SHA512 | 8c8f7bdb103e78bdca8bdb24233d0d604e5f8b6eae4862fc2a5274d9033c12fbfef9f4517dab73bc0efbc2ee4d7cf1ca5150a77539e8c0e7770a07a2483665d3 |
memory/2756-18-0x0000000074A50000-0x0000000075001000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe
| MD5 | 7cf8103b7f88099cf61dd0d2995ef009 |
| SHA1 | 29843463e001528afa9205a99764bbb434c196e0 |
| SHA256 | 75a1ed3ab304d2d7c443e2cffb13ae08d2a2c34da22c32544e8e89e64ccd9adc |
| SHA512 | a69b3e061191838369417c36ca0df144309eda3b40f59086790fd1f1f19eda33807a82448dd6faf3eb12bee814b9eefb57c01aae7b0adf96b2345018b3d6b376 |
memory/1720-22-0x0000000074A50000-0x0000000075001000-memory.dmp
memory/3180-23-0x0000000074A50000-0x0000000075001000-memory.dmp
memory/3180-24-0x0000000074A50000-0x0000000075001000-memory.dmp
memory/3180-26-0x0000000074A50000-0x0000000075001000-memory.dmp
memory/3180-27-0x0000000074A50000-0x0000000075001000-memory.dmp
memory/3180-28-0x0000000074A50000-0x0000000075001000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 03:01
Reported
2024-11-09 03:03
Platform
win7-20241023-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe
"C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pkjl0xrt.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2BC.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | tcp |
Files
memory/1776-0-0x0000000074531000-0x0000000074532000-memory.dmp
memory/1776-1-0x0000000074530000-0x0000000074ADB000-memory.dmp
memory/1776-2-0x0000000074530000-0x0000000074ADB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pkjl0xrt.cmdline
| MD5 | 75f4c0fc6430c37d19957d13b3c89d4e |
| SHA1 | d24bffc7285372a3fd48ac24957e404b6ffcf914 |
| SHA256 | 1eba452386b89b42034c262674975fc6c92b71197d99f43b0d06faed169d241e |
| SHA512 | 3db6e8d6a05e141565bf253501d3b9e530d69dda00fff85559542539d9e341894c34e54c35afce5bc3502f9526c994cb4ff3b70e6f43c434a5a8dcda8325ef1e |
memory/3000-8-0x0000000074530000-0x0000000074ADB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pkjl0xrt.0.vb
| MD5 | aeb7f6035d90138e0cc0870c7b70066f |
| SHA1 | a7147994253acd0c63c4d962c4dac2c1facd848f |
| SHA256 | 7fd132eac2d6ef7f5ac0959bbab7d31b2a9db69d35ce16772f54894267b58b97 |
| SHA512 | 2e782c2a6f919fe4df321fab9722b2a51f0c9771d0defd031cdc6781cbd64f741278f0ad4ebd66cd6316e2645dede635d3f4e8ad535d5d2d8695ea86c228e70b |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 6870a276e0bed6dd5394d178156ebad0 |
| SHA1 | 9b6005e5771bb4afb93a8862b54fe77dc4d203ee |
| SHA256 | 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4 |
| SHA512 | 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809 |
C:\Users\Admin\AppData\Local\Temp\vbcB2BC.tmp
| MD5 | 6b260cd68b3e8b3782b3ca94c1c88a87 |
| SHA1 | c7ea88e7f81f3f2d3605673aff615fcbc9c8fb36 |
| SHA256 | 32bf351c97b2243673700811a00b321e0a39358223ff0774770e50d051cef263 |
| SHA512 | 5997d30dc007b580418f51edc142af8f62680ddd463aa12d7c76bb4b59035f3ded9c9e0708cd4debbf4f13c7061e34fc603f64a9b959729066abb5693ddab5e5 |
C:\Users\Admin\AppData\Local\Temp\RESB2BD.tmp
| MD5 | c94ab7b6d1dda59550c3a8a1bf5b8310 |
| SHA1 | 059e7a0fcd8a58446e7ce9e39190bd7dbb636a61 |
| SHA256 | 2ca1ba42c8f7998313fd3293ca707a8bb8f962b48a6cef518cf4af1479f3f227 |
| SHA512 | a5d1e510de388186d720c5075ea5ea80416629069b88bbff01498d47050b474131c5293724299cf96806eb07a0df6752c5b753253d4844955c3cbc1fbf8c8bb4 |
memory/3000-18-0x0000000074530000-0x0000000074ADB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe
| MD5 | 512169605dbc0d972b38da2914b08d0c |
| SHA1 | 84d835bbec5bd96d908e5c24e37d27dd0bb79fdf |
| SHA256 | 3671fe8318e01851a739c8102193ad5f8092ab9bb3f7f67e89751cd2400f00f0 |
| SHA512 | dcf95a73fc57e8eaa8a54e71a500b5627af802bf406d8dbe9133fb22cb09d68347342c0dce907a568948b35dcb64099b60f62c0c133c442cbdbe2a18873557b6 |
memory/1776-24-0x0000000074530000-0x0000000074ADB000-memory.dmp