Analysis Overview
SHA256
f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff
Threat Level: Known bad
The file f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Uses the VBS compiler for execution
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-26 05:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 05:27
Reported
2024-07-26 05:30
Platform
win7-20240708-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
"C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wleikvru.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2492.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2491.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/2716-0-0x00000000740C1000-0x00000000740C2000-memory.dmp
memory/2716-1-0x00000000740C0000-0x000000007466B000-memory.dmp
memory/2716-6-0x00000000740C0000-0x000000007466B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wleikvru.cmdline
| MD5 | 1bf064ecc0656f91ad4fbcaec55dc0ad |
| SHA1 | 7722fbd198aea327cf0c66945f5e1d17d980b282 |
| SHA256 | c4469b0b939311c0a979cc97082c1707b698efa50aa68d7f0777ccc66bc99e59 |
| SHA512 | b485a0b826d81302c563aafbffe3a53dd71cccc5f3d62cf7c6b89c1a33093c410fe802bb7678cb4456ff077a57c8c4157efc10e6e32da50ca51c7673d18cda3d |
memory/2720-8-0x00000000740C0000-0x000000007466B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wleikvru.0.vb
| MD5 | d293403390fe2c36172b27c64d5c8650 |
| SHA1 | 7da8e06d74ca0eb27de9be37a7f6edbd09aa977b |
| SHA256 | 01f36b19af186ed3cb30eefb5de7a90e1a42ed5fc80c954da69403245116524c |
| SHA512 | 38d67d55a3a7709187f1841f754e5c2e526a22ca0e9d7fe9aae5768c220ea698c3295f660eaca8794dd68ee1dbdf0f56878e30e46f92566ebe58cf9e12cf8095 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 6870a276e0bed6dd5394d178156ebad0 |
| SHA1 | 9b6005e5771bb4afb93a8862b54fe77dc4d203ee |
| SHA256 | 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4 |
| SHA512 | 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809 |
C:\Users\Admin\AppData\Local\Temp\vbc2491.tmp
| MD5 | 06c9e30575a76e9078b3348a847e5d5c |
| SHA1 | ceb29e8f306b0f49e81b10d6546002077a77c39e |
| SHA256 | 37259d75ddf2ee54bb550017eca80db23f92dbccc62f68272e3ff8cacef39b4d |
| SHA512 | 0f72893e3248ca82084f50d1caa43f761ae7ef8153f437177f86299ef8df4c74bc38829a86b29628cd369b341cfcf006159dc11d0a4b6d669603a8a39028ffbb |
C:\Users\Admin\AppData\Local\Temp\RES2492.tmp
| MD5 | d11fa8c5ba0127d1273631b185398739 |
| SHA1 | ed9df0ba12ca7f80ffbeb9adde9502bf553d8d6d |
| SHA256 | 52f9242df07e778fc7767d862060b7802e049275c0018682b8823445acc8662a |
| SHA512 | a20ec45faa79e6317fe86fa66171467d57909a1183e422bf1007c8283119c03dd7608d0f019bfbd33790e113ec2577e6efde9e822ea7805a25db2110726292fa |
C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe
| MD5 | 0ba125c8789e9cabbb7e931d91a056bc |
| SHA1 | 9203e443f9ed4b5e136edf36b01cbd3ce424282c |
| SHA256 | 18f2b2c9379e3f32c80a8d548782012c298c5f44d8680488e1690349431897c8 |
| SHA512 | e9a5ecf7ea3f999500326866438e6f54d5486c1811c309476a131fc6eccc0416bc11a37ee5aeb8c1a8432d62814b25a5730958b9654114625a86e8f6939b2339 |
memory/2720-18-0x00000000740C0000-0x000000007466B000-memory.dmp
memory/2716-24-0x00000000740C0000-0x000000007466B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 05:27
Reported
2024-07-26 05:30
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
"C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\etflx7_s.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB16E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B58DEAC7A2B41089190DBC0AA458C7D.TMP"
C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/1756-0-0x0000000074842000-0x0000000074843000-memory.dmp
memory/1756-1-0x0000000074840000-0x0000000074DF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\etflx7_s.cmdline
| MD5 | de6785abee22a787c242bb23c60568d6 |
| SHA1 | 0cfc2c20e1b8227bc074fd63baab7be179e7e2c9 |
| SHA256 | 3bb0a7f3eaf624fda9feb401c9f763036174f13068e16137145bdd8d362a26f7 |
| SHA512 | d55c5feb6b12e317a38c7bbff1b35587e44c03d720307e7d1d12acb5f479aec140508675f82b6a5fffc45bb4c4c72020a538b427cdf1f866e55f4cc2edba7298 |
C:\Users\Admin\AppData\Local\Temp\etflx7_s.0.vb
| MD5 | b6e076569014c1504f10f402b4500bf1 |
| SHA1 | 2d946dde31e3cac560dd3695a8c0d928c547c45b |
| SHA256 | 840b439b955f3aade074b149ccb1bc49d6e2bed72599a9cadeafdecb1008043e |
| SHA512 | d5cfefb7372d8df28296b26d88d160c3ddadac05d746bb8fa5840590ed19b4b3233aca0e3941916b2ccbd8c9de16a0526aca118ac51ebcee0c3caf75da60a814 |
memory/1964-8-0x0000000074840000-0x0000000074DF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 6870a276e0bed6dd5394d178156ebad0 |
| SHA1 | 9b6005e5771bb4afb93a8862b54fe77dc4d203ee |
| SHA256 | 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4 |
| SHA512 | 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809 |
C:\Users\Admin\AppData\Local\Temp\vbc7B58DEAC7A2B41089190DBC0AA458C7D.TMP
| MD5 | 31786bb106ce27678c8cf47292f6e23e |
| SHA1 | 8a1a798561a172f4a31c2a05ebb53f971ae0ddca |
| SHA256 | e6e7babc0014aae8eeacf913253a4700ba363a2ea37926169bea56a923c80ac0 |
| SHA512 | 7a20a8b02d9d51e1442da55877bd67a79201ff4bc4efed796512f45463fc26f67cbfc7dba662609c98f382a359ca6ba6e373f3b64d37b34c4d79f7924c34c726 |
C:\Users\Admin\AppData\Local\Temp\RESB16E.tmp
| MD5 | cccd1afad03e6d6c6b6c756ae943ea09 |
| SHA1 | 740fd4744f1c27b311167f3b23e0b2e5367d9a8f |
| SHA256 | ef06eb833b90ea025446ddff566d0c234689c2a9be10c75e15a4f8e8a0140ccd |
| SHA512 | dd8edcda325e433e71fbb905e0639da39e38375a4046bdb57d38cf614d7bcb8fc8e7ab3ed371ca50f462e3388d8a4d618498bd4fc8736d47ade0398257e2143d |
memory/1964-17-0x0000000074840000-0x0000000074DF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
| MD5 | 3bea4c1dab266d43a2c2b145ccdb570a |
| SHA1 | a1f64d4fe16970ddb52a101e3aa052fd628efcae |
| SHA256 | 8e20258dfac87f7906abb66111616d0baf0cd08db4944c84766a9629846a2369 |
| SHA512 | e3e61c53126af8669c767b0371a13f25bfba88fd6376da52f9401071977c469c690fcda2ae4f356afd0d9d96ae8efd4b161ecaa255f2074e445d00c3a7699431 |
memory/1756-21-0x0000000074840000-0x0000000074DF1000-memory.dmp
memory/1316-22-0x0000000074840000-0x0000000074DF1000-memory.dmp
memory/1316-24-0x0000000074840000-0x0000000074DF1000-memory.dmp
memory/1316-23-0x0000000074840000-0x0000000074DF1000-memory.dmp
memory/1316-26-0x0000000074840000-0x0000000074DF1000-memory.dmp
memory/1316-27-0x0000000074840000-0x0000000074DF1000-memory.dmp
memory/1316-28-0x0000000074840000-0x0000000074DF1000-memory.dmp