Analysis Overview
SHA256
389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec
Threat Level: Known bad
The file 389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 20:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 20:13
Reported
2024-04-11 20:16
Platform
win7-20240221-en
Max time kernel
158s
Max time network
164s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe
"C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\thowj3zv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6BED.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | tcp |
Files
memory/1640-0-0x0000000073DF0000-0x000000007439B000-memory.dmp
memory/1640-1-0x0000000073DF0000-0x000000007439B000-memory.dmp
memory/1640-2-0x00000000001F0000-0x0000000000230000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\thowj3zv.cmdline
| MD5 | d2666d1f808625bf02f2ed044ffca0f8 |
| SHA1 | 8a5310e84e114dcc78cf02f39ae85c18d4a8ea83 |
| SHA256 | 0e326700811676f9702693a825259c437dd97bd7a50bd269a3539ff698b6ff2a |
| SHA512 | ed71247c807f084910393f614ff337c57d4bb87e135beafa2c7fe3e3207c0fdc6f649903ef1c10de88de77d4d50f49b4942a365c391c923be2f68c0a6032ff92 |
C:\Users\Admin\AppData\Local\Temp\thowj3zv.0.vb
| MD5 | 71a356e0457efc4041a817d97111eeae |
| SHA1 | 8948894c14a17c208ceca082cd0c0195d2299080 |
| SHA256 | 84f09387033917b65f5c19c135a6c4adf524ef50da3806577dde838f3ad7b241 |
| SHA512 | 1eebc3383e61306f34cce5fec06f6addd4279e0b99667bb5c231aa13e9a2fd53f6fde12e8414df0fab7f45554a770aee8951fbe40630cc53c64f1688432cb632 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 6870a276e0bed6dd5394d178156ebad0 |
| SHA1 | 9b6005e5771bb4afb93a8862b54fe77dc4d203ee |
| SHA256 | 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4 |
| SHA512 | 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809 |
C:\Users\Admin\AppData\Local\Temp\vbc6BED.tmp
| MD5 | 11e244cd03743eb6803d67c4f6150cde |
| SHA1 | 1bce9583c33072f301651c6f38bc80e100afd092 |
| SHA256 | 8ecca11964def559939f2c5e45899c9e6a4899a3dd988b6dc825b5c54faeca6e |
| SHA512 | e31a4d5072c77ec580f82d6cf08bc7f547031027165dcd08272f8a76b3c295b1233972f7144e697e72fc8253e43fe2e39a9e8c7a5e311345f0a5d1213604bb58 |
C:\Users\Admin\AppData\Local\Temp\RES6BFD.tmp
| MD5 | ef028f39351163f145da547dccaa5063 |
| SHA1 | f8e438b1fac34071117ba6b190f99de9ce73fbe8 |
| SHA256 | b5e0db0ff04c3f133afd28876ee0565e4cd68ec99ffe847226cb31fc53fee2a7 |
| SHA512 | 2b6336bee0d6de105df24ba415fea7645ddb33e76fedd3c220e3f82c2ea055190b19462fbbae46375aeb50f3e02c0abd14efa783fb704c0de156500169622c54 |
C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe
| MD5 | e2090f7cc489828a963ea34f85057e44 |
| SHA1 | c6e2b1a29d050d35837ba28dca0003ba9677822a |
| SHA256 | 62afe098508c2407808e8efe7768b578d79093fae2b5810163ef897e260c2c80 |
| SHA512 | 636fc4d344848c9b4e711ef661461b7b59bbd37c2e8dbe6404863041dc956e6f6d7558a7ce713d17966333024bd5b0fb0ca314067cff776e59a7ed7e1688f38d |
memory/1640-22-0x0000000073DF0000-0x000000007439B000-memory.dmp
memory/1944-23-0x0000000073DF0000-0x000000007439B000-memory.dmp
memory/1944-24-0x0000000073DF0000-0x000000007439B000-memory.dmp
memory/1944-26-0x00000000002F0000-0x0000000000330000-memory.dmp
memory/1944-27-0x0000000073DF0000-0x000000007439B000-memory.dmp
memory/1944-28-0x00000000002F0000-0x0000000000330000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 20:13
Reported
2024-04-11 20:16
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
164s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA6EE.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpA6EE.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA6EE.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe
"C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nlp8tory.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA856.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17F71ECD5EB545179B2370FFCE41B734.TMP"
C:\Users\Admin\AppData\Local\Temp\tmpA6EE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA6EE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 13.107.246.64:443 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.201.106:443 | chromewebstore.googleapis.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
Files
memory/3220-0-0x00000000752F0000-0x00000000758A1000-memory.dmp
memory/3220-1-0x0000000000B60000-0x0000000000B70000-memory.dmp
memory/3220-2-0x00000000752F0000-0x00000000758A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nlp8tory.cmdline
| MD5 | c65ef368039ae2dd652acf73746a7628 |
| SHA1 | 8731616bb0d90a01b6bc94fac0130d930e2deb7a |
| SHA256 | b42e4e33a29f63567f46867247e3431761ebb283a590b873934204bc8845be45 |
| SHA512 | e909f0f0d4c87169cdad804c2a53221eea32365e5adbd00dc62855110af19f0744353ee2e9a473ea66b7ebb185004d015ac059374a0dbabb1aa8c11e45f3f6b5 |
C:\Users\Admin\AppData\Local\Temp\nlp8tory.0.vb
| MD5 | ec13382cda8868d51e3eac201099a986 |
| SHA1 | 0dad3f139d35a606096a1344675ca214490d470a |
| SHA256 | 31dde1f13e96a4d06f76e9c8e7b838c3de8c8271708f9888461207c7607573b0 |
| SHA512 | f8172bf03ec1ef324224a434f6daad801ae46b393baa0ff21e1e81b409d2676e1f9b4423a515aecf55181eb26ae3064de018fb1e19356a9bea88c785a5b51b0c |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 6870a276e0bed6dd5394d178156ebad0 |
| SHA1 | 9b6005e5771bb4afb93a8862b54fe77dc4d203ee |
| SHA256 | 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4 |
| SHA512 | 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809 |
C:\Users\Admin\AppData\Local\Temp\vbc17F71ECD5EB545179B2370FFCE41B734.TMP
| MD5 | 6aa45780170bff771f9283d0fa336bf1 |
| SHA1 | e4386eabfb6c93d1839d89ec05ffce6f5834fb06 |
| SHA256 | 0ab6a7dc3bc7c4005d5fd1634112abc8fa90f15e1e9068ae2aaa9452001bc35f |
| SHA512 | 22846bf40b3a8ba2f035d4b5dd89fc8380138d6abdb162f1da6ce15208bffa03c6c5fb25feb893c48d914c7729b83d9cf84fc2f8c2850ce6389e7f890fd8d868 |
C:\Users\Admin\AppData\Local\Temp\RESA856.tmp
| MD5 | 5fcb86efbdad81eb8488dc51c6aee88d |
| SHA1 | a03b0e45288a226010cbe547c98f8141e47c62f5 |
| SHA256 | b6a84e6108d1c59cc257e85ad989d3d91b67f4059bdb23aa3a473d138f8e95e4 |
| SHA512 | df88c23f690c8eedf22f9d1469b5fc9a64b10c49214bdeed36a0f4d6d98316966ed36cd7d35fc4805e8285b8e512703424d8c4d8fe23a3a655c0cbe6d25b40f0 |
C:\Users\Admin\AppData\Local\Temp\tmpA6EE.tmp.exe
| MD5 | b1ad65a6aaef85c6efe22b84bbb8732d |
| SHA1 | 91ad6668e99b72cddf721955c307fe67cd26ec51 |
| SHA256 | 0a333bba409c20e019f59fa8b1eec93ba11c3ac0fc366d5f917148d1d41033bd |
| SHA512 | 8e3c3db213d23bb033914405f9a6c4c7d0be2cd5eedfcfdbbab578dec9afa47be7f8bd1c3a75bcd01628369dea80f75b89f67648527e79bc35b058a3a6d60993 |
memory/3220-20-0x00000000752F0000-0x00000000758A1000-memory.dmp
memory/3824-21-0x00000000752F0000-0x00000000758A1000-memory.dmp
memory/3824-22-0x0000000000B00000-0x0000000000B10000-memory.dmp
memory/3824-23-0x00000000752F0000-0x00000000758A1000-memory.dmp
memory/3824-25-0x0000000000B00000-0x0000000000B10000-memory.dmp
memory/3824-26-0x00000000752F0000-0x00000000758A1000-memory.dmp
memory/3824-27-0x0000000000B00000-0x0000000000B10000-memory.dmp
memory/3824-28-0x0000000000B00000-0x0000000000B10000-memory.dmp