Analysis Overview
SHA256
b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bb
Threat Level: Known bad
The file b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Uses the VBS compiler for execution
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 06:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 06:47
Reported
2024-11-10 06:49
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
"C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kviqmqcu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8770.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94C722595F844E9FB14C5AFA93D9FDB7.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/2688-0-0x0000000074BB2000-0x0000000074BB3000-memory.dmp
memory/2688-1-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/2688-2-0x0000000074BB0000-0x0000000075161000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kviqmqcu.cmdline
| MD5 | 87fedf2af133a950e3695fb8c534c5d8 |
| SHA1 | e5cd25e4c8b81495baecf098ff67a268e11c9936 |
| SHA256 | 6b2365b93cd2be0ef058ed9d1fc8d878c61e1df35f91c4fd0b2d16a02505553c |
| SHA512 | d8ab77f88fb5401b87a503ba55d97ec16a2c401ec084f344fbc8d2f9e877a15a2527800e8a582588ec81a266e3154d924e8fa9dbaaf2e2705fac9ed85f866826 |
memory/4872-8-0x0000000074BB0000-0x0000000075161000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kviqmqcu.0.vb
| MD5 | 8eb61d6ff9adea6a5972b8ed9b9bc078 |
| SHA1 | 24cac37e4dcd5d15737141622d7ee3f771559eda |
| SHA256 | 688000902bc4dfe1ea4b4d53db0b47fdc55a4c8535ea21ab3698d469c56d3310 |
| SHA512 | 1463650a35965de5d3ce0b9a34a988adef951c862d2e25e5e6d00156e3c2d27c93c747fef59353b449fcc7dad890c085a0429174471db4a6d8d19532f5e77fc6 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8fd8e054ba10661e530e54511658ac20 |
| SHA1 | 72911622012ddf68f95c1e1424894ecb4442e6fd |
| SHA256 | 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7 |
| SHA512 | c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c |
C:\Users\Admin\AppData\Local\Temp\vbc94C722595F844E9FB14C5AFA93D9FDB7.TMP
| MD5 | 511761bc67de9d7d3c0c13fdb3b1b7f8 |
| SHA1 | 0957d1eb99b5bc3aa0fad888400bb1ac6a91499f |
| SHA256 | f34d8d467ee3b03fe0430ee6c7d06e5db44a7833590dbef360feffd7033f0e6d |
| SHA512 | 7d04d1f35678140ebe25d637a43c247f9f221ebd9d97de0c59e8a639502a3de5ad96af5fd12ce1fd32c82ed436f7ae1b545fc73834a4073b802900c3f798368c |
C:\Users\Admin\AppData\Local\Temp\RES8770.tmp
| MD5 | 48678837cf13b1e4882f21d4c04a37d9 |
| SHA1 | c78f8c6f83d2b72cc0ad10316b8c76df954facad |
| SHA256 | 1174681a1397fa1031910c98876a93a1c02f47718a90fc3ee91e5e5607c6f6b0 |
| SHA512 | c48c932d63ed8b5034e47d658f9ed152fe45f5394e3b77164d469631a4e2f076bb6f192346e6193da0dbfdfceee2b9d9404f67bef7ad13c179fb38d72534eb7b |
memory/4872-18-0x0000000074BB0000-0x0000000075161000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe
| MD5 | 3a35fccc072f32e5c7e72418f1cd80d8 |
| SHA1 | 966e5dd518ac7d94790a0939cbe18454cec7fe71 |
| SHA256 | 8d18d8264e4fe43c5f03093086fec5e129f3cabe50d8f36e84e995428c5b8946 |
| SHA512 | 23f54e5e7974288a9d7347b83e089a9156acab3bfe06b5abdbe61a7dc8b516975c86bafc327956e843b1adc918a4fb661bde1444caa63f8feb7ecc55e15f015c |
memory/2688-22-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/4976-23-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/4976-24-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/4976-26-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/4976-27-0x0000000074BB0000-0x0000000075161000-memory.dmp
memory/4976-28-0x0000000074BB0000-0x0000000075161000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 06:47
Reported
2024-11-10 06:49
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
"C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\82uh9pwf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8190.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc818F.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/2076-0-0x0000000074801000-0x0000000074802000-memory.dmp
memory/2076-1-0x0000000074800000-0x0000000074DAB000-memory.dmp
memory/2076-2-0x0000000074800000-0x0000000074DAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\82uh9pwf.cmdline
| MD5 | 0bcdb658f3044ba96cf2f557b06a1937 |
| SHA1 | 74cbc86e9a5cb95ea8135df7c7355b459c0e4911 |
| SHA256 | b6b4a5dfb1ae29a91b87e850ade5ff8b3b59c7d6af49229702939191c6a5d3e6 |
| SHA512 | 946d2157bedd16d2aa9a64a3cbe032d65ee18bd51c4bf4e0191628371d3748fce07143cb3c64483dd8dfc5635ffbbd8cd13c94d1e82f74ba85dd384d04be2f0e |
C:\Users\Admin\AppData\Local\Temp\82uh9pwf.0.vb
| MD5 | 4b38a0c659551afff7b2164769966923 |
| SHA1 | 8a14b92399c91588d7880c03e67ee175bb278769 |
| SHA256 | 718188b16dbf5d48fea4be0bfd5271dbc846787d03b626b39bb7f2b4f00f15dd |
| SHA512 | fab9e7e171bd831a47a9e90290eea0345ddfc48ade36b00c4fb49d7ea81fc1e3a404bafd4ec8f298ec9d6d15c1a9a3e226aa4d959408aedefb4eba88dc4ac35b |
memory/1848-9-0x0000000074800000-0x0000000074DAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8fd8e054ba10661e530e54511658ac20 |
| SHA1 | 72911622012ddf68f95c1e1424894ecb4442e6fd |
| SHA256 | 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7 |
| SHA512 | c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c |
C:\Users\Admin\AppData\Local\Temp\vbc818F.tmp
| MD5 | 75a52caf48f5e41ee45a65a2ac6000e3 |
| SHA1 | 5d953fff2ddec9867b997f9248d19a9ddcf4bf51 |
| SHA256 | 3e97d06ae6777c254cb1654a6b79091061bef780b59938f7d1d7cea387cf7389 |
| SHA512 | 2e9bb7718878f30d2a43ae6a36d5ac3463e8e5a9aee8d7aa553dd9099d4e481465162ff00a62ae35ef4ef102f9329ca546655fb25244a4fa62b778074cbd9b7c |
C:\Users\Admin\AppData\Local\Temp\RES8190.tmp
| MD5 | 155468a2f55f31cc3cf6ae57d1e0496f |
| SHA1 | c5a8519f20157a2eab3203c2a4b64fba7819a928 |
| SHA256 | 5aae1c36db88e991574788e206d9b1e47a6fb301b83e26666c48b750aae4bb79 |
| SHA512 | 6d57d3490b072039c21f5e22ff1e0345b066959a037b388f9a50c2113e8cc981d44b9e535603bb811ce1156cca3ff337f847ee09256badda5e9a97532fc26c8c |
memory/1848-18-0x0000000074800000-0x0000000074DAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe
| MD5 | 7f0951e823b10b29b3b469f1564bf833 |
| SHA1 | 73695285b5d810a5ca7b09364333e4b4e5bc1100 |
| SHA256 | 6550b2cf47e9f76025af83c65bc19e37230d3698c80f4366de59841a49c4a3ff |
| SHA512 | e921f0a2871f8913dea78d6b5d91a00cf8fa37dc312d34d18dab147618dc134aad564d9863306a4d2853b04e1ab5dcdbbf1b19629048a34ebee7b07760c7f1e2 |
memory/2076-24-0x0000000074800000-0x0000000074DAB000-memory.dmp