Analysis Overview
SHA256
37dd69272c8cb247c3bb56283a9a786cc5cde3abaefcfead2067f81106f64d4e
Threat Level: Known bad
The file 1b8daf3e4c9c5407447c3c96e0b0ed7b was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Checks computer location settings
Uses the VBS compiler for execution
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 05:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 05:42
Reported
2024-04-10 05:46
Platform
win7-20240221-en
Max time kernel
215s
Max time network
247s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe
"C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pejrj70a.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C04.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C03.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2996-0-0x00000000744A0000-0x0000000074A4B000-memory.dmp
memory/2996-2-0x0000000000BB0000-0x0000000000BF0000-memory.dmp
memory/2996-1-0x00000000744A0000-0x0000000074A4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pejrj70a.cmdline
| MD5 | 2ae027ea022ce6db49f4d6f11af059a1 |
| SHA1 | 76106da7b68864a623b842b5e40cd357c98a1455 |
| SHA256 | 157a957c2086c76eadfe8e03add031f18fcb984a859d8762f91eba97c13dae36 |
| SHA512 | 63e888b970f73bb84dd9758b58931d160fbfa26a5fef65c28ce3d2e9b739b9c762abce5769e8fd2501664fc2b4144b4036bd97c12d74042dfd510d25f6175a6d |
memory/2996-8-0x00000000744A0000-0x0000000074A4B000-memory.dmp
memory/2764-9-0x00000000022B0000-0x00000000022F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pejrj70a.0.vb
| MD5 | 610e072cfc9c7f9030af6bba8cc4c665 |
| SHA1 | 724e1fd137145d37028856edf83e96287606605e |
| SHA256 | d5d56aca6147f675cd95d81c8f0588e35b019225994fc97a66f376410456a1c6 |
| SHA512 | cc2f61226e1ddbe9e179c2771b6982db9f28bb2f77feeedef7b406eaee35de797f9d9da3fb785bf1f5bd445ce925a20b7283da5a87e958b6ab77a8dd01cbc2ae |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8fd8e054ba10661e530e54511658ac20 |
| SHA1 | 72911622012ddf68f95c1e1424894ecb4442e6fd |
| SHA256 | 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7 |
| SHA512 | c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c |
C:\Users\Admin\AppData\Local\Temp\vbc7C03.tmp
| MD5 | 456a3608ec7178f94adc01fe3c8c3d2d |
| SHA1 | 9bfda8b56d31e492e8881045270508737779873b |
| SHA256 | eb1b044d82abb8bca7c5ad8aab130d783d5bb81f25c15e5331facbcbd4aea9c5 |
| SHA512 | d2643c1f67dd855b44dd2c96c9193f11e567ab7919d3feeba596624e4bf5ecd7e23321e5c63da4638299aa69ba6b48c0726fa7eceff2765446f202ae8847cd70 |
C:\Users\Admin\AppData\Local\Temp\RES7C04.tmp
| MD5 | eee25a938ab0889f04c0f132022ae326 |
| SHA1 | 165d44fb4dea19d9b2428576445a2d01fd22742a |
| SHA256 | d12eacb0bed784691a4b4df358c8bd1882a5e8b130133b7f9af920f82f7fc60e |
| SHA512 | e26c914829587388b8439199f2ab7283c685e80debb4fa9dfb26d50577bd54dd45eb8f1c332902d635f4a269c10fff034f0246ac82affe6e4293e0accaa505a4 |
C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe
| MD5 | d49ae592d8fbfadc2a860872fc548df0 |
| SHA1 | a9a1847c22c173027b6d26169b6934de86c17d70 |
| SHA256 | 5fdec8e7b1fa5e61438cf123f79f1c6add5c435db6b273fbfa662051f8e29839 |
| SHA512 | a2ef68e24c43d95ddecc58282b4a5bb2b6a6b660c47390d0979133e2c26c33295a6b8fbbceef078f7b92f26913a9358e11495a1b6fba69d8a23238b367585f9a |
memory/2492-26-0x0000000000580000-0x00000000005C0000-memory.dmp
memory/2492-25-0x00000000744A0000-0x0000000074A4B000-memory.dmp
memory/2996-24-0x00000000744A0000-0x0000000074A4B000-memory.dmp
memory/2492-27-0x00000000744A0000-0x0000000074A4B000-memory.dmp
memory/2492-29-0x0000000000580000-0x00000000005C0000-memory.dmp
memory/2492-30-0x00000000744A0000-0x0000000074A4B000-memory.dmp
memory/2492-31-0x0000000000580000-0x00000000005C0000-memory.dmp
memory/2492-32-0x00000000744A0000-0x0000000074A4B000-memory.dmp
memory/2492-33-0x0000000000580000-0x00000000005C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 05:42
Reported
2024-04-10 05:45
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp465F.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp465F.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp465F.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe
"C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hw5yxc7h.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4798.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDC1F2991BF44427DB19013C125CDF29E.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp465F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp465F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/512-0-0x00000000754E0000-0x0000000075A91000-memory.dmp
memory/512-1-0x00000000754E0000-0x0000000075A91000-memory.dmp
memory/512-2-0x0000000001420000-0x0000000001430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hw5yxc7h.cmdline
| MD5 | 999298a96931f81d0a1beab6a567111f |
| SHA1 | 59c721b4d24d96d177ecb2d514d27420bb6c65f9 |
| SHA256 | fb6617968e757fbe9c26a5f8f74b5dc1dc69ae430814f7ea749bb87d57f57bf1 |
| SHA512 | d01c3d34f02eb4167e59fdbb2cdc36f25e5c9a9dc882bafc617f1038d86ae61f30f9ec7870c73e3011c1941a338410a5402e0047ec648b4d4568643e0ec7cb6f |
C:\Users\Admin\AppData\Local\Temp\hw5yxc7h.0.vb
| MD5 | 3ecbd452fe9e2ee1c19459876f1a77e1 |
| SHA1 | 24baf074ce72b8df62c1875db8c51443bc9db2ad |
| SHA256 | 225cff039d7e378538b38fef7872d51d34cfe2dfb7c6d91f8dccc237de88cede |
| SHA512 | 781d1f3c4ef2b408387d3f6844fc92250c2f5b88e413044873ec5ffa718ae51b13c4d304373f9009021f697822194421f6138e2bbb07b4f4910662d527d91bf8 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8fd8e054ba10661e530e54511658ac20 |
| SHA1 | 72911622012ddf68f95c1e1424894ecb4442e6fd |
| SHA256 | 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7 |
| SHA512 | c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c |
C:\Users\Admin\AppData\Local\Temp\vbcDC1F2991BF44427DB19013C125CDF29E.TMP
| MD5 | e9b2a3317f4f4247e9a2bd5bb867cba4 |
| SHA1 | 7f25ce09851149a1b2fe69aff1cda2f91989f6e3 |
| SHA256 | 5eeccc593bce775bf2b3d7c9350295a06daf4c1eb7768e17ca6c578634d97cf1 |
| SHA512 | 764501bbd583f6f9bd10ae3491a8c54f91b6bf1b715f5f8481a75bebb5e667f7cffa213f796634fadf9d35e0fe68cfc0e83e727c8ab0a6613779a108003add98 |
C:\Users\Admin\AppData\Local\Temp\RES4798.tmp
| MD5 | 514851e196fb0a8a0f2406fabdb5585f |
| SHA1 | 7807fa5f4e0b2cfbbad78fc5e85ad9c5fc1114be |
| SHA256 | 88ed0ed3e2a40598e1590aec06e7a9b364b6e8bfb23b9a81f743dffe44873a9a |
| SHA512 | 8149ca8ffdf4d108ae24f2ec7f936e763041b8fc29d0e85473b55b956bc77ef9f9de4af256024caa3f3cac6a297bfa121616bb1f3b11c5dc2d6a01fa3e672db3 |
C:\Users\Admin\AppData\Local\Temp\tmp465F.tmp.exe
| MD5 | 5ad16251568f54c50b1088b225801355 |
| SHA1 | 8c03879b16ae537a39b9a7d14d7907b423908d33 |
| SHA256 | 3829a534059cbaa22c1d147e7977b0c1d56729db6119ba4d29a0524ce77da127 |
| SHA512 | 5ef1191aa26d742d29acc46ea88746e25db2b23f72491fe9e5e349a1e635eb0d2e2dde3e54d373748c2701f7e73f93e859bbc7b4b01abb71d5f4cfff0cd24f8d |
memory/512-20-0x00000000754E0000-0x0000000075A91000-memory.dmp
memory/516-21-0x00000000754E0000-0x0000000075A91000-memory.dmp
memory/516-22-0x00000000012A0000-0x00000000012B0000-memory.dmp
memory/516-23-0x00000000754E0000-0x0000000075A91000-memory.dmp
memory/516-25-0x00000000012A0000-0x00000000012B0000-memory.dmp
memory/516-26-0x00000000754E0000-0x0000000075A91000-memory.dmp
memory/516-27-0x00000000012A0000-0x00000000012B0000-memory.dmp
memory/516-28-0x00000000012A0000-0x00000000012B0000-memory.dmp