Analysis Overview
SHA256
c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25
Threat Level: Known bad
The file c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 02:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 02:06
Reported
2024-04-09 02:09
Platform
win7-20231129-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe
"C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hqsesjwu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC0.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/1108-0-0x0000000074510000-0x0000000074ABB000-memory.dmp
memory/1108-1-0x0000000074510000-0x0000000074ABB000-memory.dmp
memory/1108-2-0x0000000002210000-0x0000000002250000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hqsesjwu.cmdline
| MD5 | c0acac0e4866d715ad98faa8ca56bf24 |
| SHA1 | 7caac48be7c5a38332736a10c462f3ee78f40e32 |
| SHA256 | 1435c5efd868dc873af620ba24844a617f9d4781151afe9eeb2cf67bc3a9f709 |
| SHA512 | b063e7cdd4540218b7adad2800d9b83048fa0f29319fcb26ce0f2bb2931fd792aa4ac51d9119349086d8c119bbfba9bcc297789d1c6c982230cb5979976e9ece |
C:\Users\Admin\AppData\Local\Temp\hqsesjwu.0.vb
| MD5 | cabc418c9232104a7f8e951599fe9fdc |
| SHA1 | 1d0ea1545723c6b0c424ff888fdc5cf58b37e2c4 |
| SHA256 | ab72d02776790f86486a354c901af394f5d1c141627a8654839c0e548070b3e9 |
| SHA512 | 1cf3888fe037d6d18ba6fe5e5208993804a2155ff8a0956c9fe8d303410687f0ba54aa0f3ae59c1ebd7105f52730e0c0bd6b79dbe7b9ab889261758b91dffca6 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 6870a276e0bed6dd5394d178156ebad0 |
| SHA1 | 9b6005e5771bb4afb93a8862b54fe77dc4d203ee |
| SHA256 | 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4 |
| SHA512 | 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809 |
C:\Users\Admin\AppData\Local\Temp\vbcEC0.tmp
| MD5 | 8662a00c0a86fcd78092cac8d12f7ac7 |
| SHA1 | eb0bd52f284876d113fcab1d8df94af4c516baa8 |
| SHA256 | 18f582b49439b5a20cc0d71060689e6486372f1e3b79d8c413ec44c8f7d5fe8a |
| SHA512 | 0466f34c97388809bd268088e4909fc158791117d3afde98c45c6753b9bcc319e90a849095013b8a14ccb2927d216ca7d8cda9c62e8d7112f087cad5492307c5 |
C:\Users\Admin\AppData\Local\Temp\RESEC1.tmp
| MD5 | 68f9774225eaafb08266764a33dae62f |
| SHA1 | a25e1681086a185b83860cb03f6d2877983406f7 |
| SHA256 | 938b4d0630d90155ef89d5b009ed9b186e64ac9eea6ab38b2095d173054f5f7b |
| SHA512 | 06472e457d6b9e55ca91cacd7603769cc80b1319a670c8c0f15a413c2acb99723370f7b84336fe539f73e8b8811aa09d63dcd0ca6c00e16cf1326f6b50149a36 |
C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe
| MD5 | 61edab1e6c3c740becadd2afab08d23d |
| SHA1 | 2197e4295432e4d2eb669deb988b80f79a6c77f4 |
| SHA256 | e6c70b1b959b89b8f1fe2235d4a96b00b3d14a558162c50496ac62c0c0f7bfcc |
| SHA512 | dff8da05a16059af7ae176c124d85190ef38746d1ddd4ceef65aa5ce2be04571fbb3be4a4b96a51642918b3b39fa6b2c6493c60e3088bca77d9bc8d0ad74e5da |
memory/1108-22-0x0000000074510000-0x0000000074ABB000-memory.dmp
memory/2792-23-0x0000000074510000-0x0000000074ABB000-memory.dmp
memory/2792-24-0x00000000020B0000-0x00000000020F0000-memory.dmp
memory/2792-25-0x0000000074510000-0x0000000074ABB000-memory.dmp
memory/2792-27-0x00000000020B0000-0x00000000020F0000-memory.dmp
memory/2792-29-0x00000000020B0000-0x00000000020F0000-memory.dmp
memory/2792-28-0x0000000074510000-0x0000000074ABB000-memory.dmp
memory/2792-30-0x00000000020B0000-0x00000000020F0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 02:06
Reported
2024-04-09 02:09
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3345.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp3345.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3345.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe
"C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bxegukxd.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES343F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5337CD363044907AF3CECB35CADDAD4.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp3345.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3345.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/5084-0-0x00000000750B0000-0x0000000075661000-memory.dmp
memory/5084-1-0x00000000750B0000-0x0000000075661000-memory.dmp
memory/5084-2-0x0000000001380000-0x0000000001390000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bxegukxd.cmdline
| MD5 | 52fb153f6a743c771856ecacb16ef07f |
| SHA1 | a0f9d82f727209daf0914af224600338bd0ef248 |
| SHA256 | 81e8e110b501e036ccc262d2e3474b875e287788b5004d0e91f35c8cfcbc19ed |
| SHA512 | ead4e3c4c592d20ec032cb858309c3e03497bf3eb8196abbf6c0cd9b749da4310b09d59dae9e27e2b37c79ed9c9d0376b1c7bd38e1df72b363799f03a1cb38f6 |
memory/64-8-0x00000000027D0000-0x00000000027E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bxegukxd.0.vb
| MD5 | e99ebc6bc24a2bdfcb4ec637ff57c064 |
| SHA1 | 897c979880d5ca1e4c382f467ac46fe32f3d857f |
| SHA256 | 072b4d402cbeaab07fb9856746baad33cf0c922e5648016affc6b09268c4dfce |
| SHA512 | 2b2150d7c3ebb20c255a6856c69dff0f7557ed10a22109a22ea5c0162c2ecde5f7ffa7eacf1f6d234a677b278c4a1e6c70226882ef7ec46b9d4187731e25e8d6 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 6870a276e0bed6dd5394d178156ebad0 |
| SHA1 | 9b6005e5771bb4afb93a8862b54fe77dc4d203ee |
| SHA256 | 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4 |
| SHA512 | 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809 |
C:\Users\Admin\AppData\Local\Temp\vbcC5337CD363044907AF3CECB35CADDAD4.TMP
| MD5 | 3dcbc61eac7e753d6d81c040ab411093 |
| SHA1 | 0198c87b5c013b0623da380053ef6c248ffbb04a |
| SHA256 | ea173764d58f963cda1ad7a4fcfa4fef48cdc5e6f3490371d2619141c799f8dc |
| SHA512 | dad9a8cfb05b392d32a38ec45c402836dcb6ff70a3eaf9624b852d5a10a757ef3786fca96b88c8dec46f110f9347f0457c27538fa98f2e8aefe16a7a82e174b5 |
C:\Users\Admin\AppData\Local\Temp\RES343F.tmp
| MD5 | 396704f7b1099528db2e8d2670c92bd4 |
| SHA1 | dc6799ed13c67805b8026f063ea3e3561e8399fa |
| SHA256 | 7f2130d7d3a2256639bdcae7ba7aca5e42e021d74bbd13ba775839bf75c8ae15 |
| SHA512 | 0f61519915b634e2b65677499b5000af4bad91f7d67d5aa4296e3eab1617ec594eb3646a6db7bcf76d2e033d41cd27282aa1647aa56dfb07576df7ceebcb72ae |
C:\Users\Admin\AppData\Local\Temp\tmp3345.tmp.exe
| MD5 | b0b093af02128503a7ab8f8d0183289e |
| SHA1 | 85be34e86f906aee0428d8e0d6dd6568ec277dc8 |
| SHA256 | c1beb34f739a86ab382d63431efd640b81fcc73c520f0b2a42448c5dbab32b66 |
| SHA512 | efd1ff2d9ac697d634a5eb8670fc576d64283c6a652b612db67b240e562730380f5163680fefc1422134cdf498f38724bfc6d02fe2c71092b4c90b78827e1ea7 |
memory/5084-21-0x00000000750B0000-0x0000000075661000-memory.dmp
memory/5036-22-0x00000000750B0000-0x0000000075661000-memory.dmp
memory/5036-23-0x00000000011F0000-0x0000000001200000-memory.dmp
memory/5036-24-0x00000000750B0000-0x0000000075661000-memory.dmp
memory/5036-26-0x00000000011F0000-0x0000000001200000-memory.dmp
memory/5036-27-0x00000000750B0000-0x0000000075661000-memory.dmp
memory/5036-28-0x00000000011F0000-0x0000000001200000-memory.dmp
memory/5036-29-0x00000000011F0000-0x0000000001200000-memory.dmp