Analysis Overview
SHA256
563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9d
Threat Level: Known bad
The file 563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
Loads dropped DLL
Deletes itself
Uses the VBS compiler for execution
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 16:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 16:59
Reported
2024-11-08 17:01
Platform
win7-20241023-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe
"C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l7l9uy9q.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0DF.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/108-0-0x0000000074481000-0x0000000074482000-memory.dmp
memory/108-1-0x0000000074480000-0x0000000074A2B000-memory.dmp
memory/108-2-0x0000000074480000-0x0000000074A2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\l7l9uy9q.cmdline
| MD5 | f82519429c0ed4d753d23edef15c2240 |
| SHA1 | 8d9f643e473a397e02833d08b0f0c66b70c1f9d6 |
| SHA256 | 5695ae073e73ca8d35a235aca7764d6f48e8375acb6ae9ae2301a1d158c41074 |
| SHA512 | b2f1f8db58b7d39f4ec0558c76eb340a82afb83838ed971b75b9d67e2fbde2ee769785b5a1447ae9eb6b0ae4b14b94e8bca7a63f89ea80c09b5f816cb7a84fbc |
memory/2040-8-0x0000000074480000-0x0000000074A2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\l7l9uy9q.0.vb
| MD5 | 8ea001ea1659e696ee3f13752f5cb686 |
| SHA1 | 0c66ce3dc74df2da198e5bc8ee692e0f529384d6 |
| SHA256 | 5248d8a01ed16fd51b9fb0d2d2a9126a3d25a72348a3ea19e80d53f746267019 |
| SHA512 | 3c0938143a61fb24a3cf487bf3f1b95cbdee2fce8f903f93d10399f749ec4b92b3823fdb0886de8f16b109809fc02dd85ff4971d04fc0de31c620211d42fbd93 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8008b17644b64cea2613d47c30c6e9f4 |
| SHA1 | 4cd2935358e7a306af6aac6d1c0e495535bd5b32 |
| SHA256 | fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55 |
| SHA512 | 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea |
C:\Users\Admin\AppData\Local\Temp\vbcC0DF.tmp
| MD5 | 46d5ca83a340da88a113d34f8b43dbd1 |
| SHA1 | e72534bf2599de6aed63f8484a4fd47f930131ff |
| SHA256 | 18af735c03fde70ec7bd241a7e60bb70de3a5832e530d252f460f7b21c79f16e |
| SHA512 | ba527dbc1b57b3e9f33a17d52ee14f1537e7b2c13bcd8169d993c043db4393e48f727505fd283042118080fdf75f1190c556c872041e3ec01266932fdf658bec |
C:\Users\Admin\AppData\Local\Temp\RESC0E0.tmp
| MD5 | b9150ef5933a109ef9fa4028e5b70db4 |
| SHA1 | afe5904aaf2bf5b96dff8e5b963dab0835981a43 |
| SHA256 | 9c84fa872f19a78afc926d9bda2cbb6136cca7d8e7bd90f9fdd0d1f99eff377f |
| SHA512 | 9cf315046302dbc4035677d244216da44984fe43be5273bb70605c9839add8050002c2303055d9d58b4f4db833a65f38d1f1cb5509098f0bed9b7f42a1ae6023 |
C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe
| MD5 | fe424c40a4f2a319011de41ba94851df |
| SHA1 | be507ba33377fbfb0d1c4ab600f2125cb542058c |
| SHA256 | e50bf4ab8abcf550140003dfd0864a6f99580e280790ea550cb1253575bc06a2 |
| SHA512 | 91ab9209809fa3d44e0f09de00a143ad71a1adafa7e56a203c0b5fd90e300e7cb0b4ad1b006c13389070561a089853301f1886eb086f3cf528094de2bc76c380 |
memory/2040-18-0x0000000074480000-0x0000000074A2B000-memory.dmp
memory/108-24-0x0000000074480000-0x0000000074A2B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 16:59
Reported
2024-11-08 17:01
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe
"C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vg4timyl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1414D88568A4108BA8E5A912675D22.TMP"
C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
Files
memory/468-0-0x0000000074A32000-0x0000000074A33000-memory.dmp
memory/468-1-0x0000000074A30000-0x0000000074FE1000-memory.dmp
memory/468-2-0x0000000074A30000-0x0000000074FE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vg4timyl.cmdline
| MD5 | cc9f0385a85cd56fec0a96414db80921 |
| SHA1 | edcf690d27433270aaa568899aa49346b79849fe |
| SHA256 | 3e3d3a71e44176201552ed32d7ca5b1455ac487543ed16bc259449dd06053023 |
| SHA512 | 48dd6aea34097c498d1dca3e24293209deec06704deb52f12936975afbf48dcd6f52dd56e5eb8e04a5373987305942b841573abddfe8c66fa973a826e024ca61 |
memory/384-8-0x0000000074A30000-0x0000000074FE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vg4timyl.0.vb
| MD5 | 60b2b03bb9bc80a9e16016d8d52c1fd2 |
| SHA1 | 3f454e70b0171e156ef5c2ef032f78487a723c0c |
| SHA256 | 1dca1ca32dab8228a062f1f7c57938fe9877dbe8a7ccef836f271ea7635e4242 |
| SHA512 | e497bb66567e9aebcacd1fc28dc61a54d9c1ac8e7695725fda00b954d55abd0bee20634f40de8a37eecc59f422fa3759d4c5f6ce03faa9d3b7f4ac5f5aabf459 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8008b17644b64cea2613d47c30c6e9f4 |
| SHA1 | 4cd2935358e7a306af6aac6d1c0e495535bd5b32 |
| SHA256 | fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55 |
| SHA512 | 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea |
C:\Users\Admin\AppData\Local\Temp\vbcB1414D88568A4108BA8E5A912675D22.TMP
| MD5 | 7e582bb4b7da5f99717544f480e3b749 |
| SHA1 | 40596e8fc3c8d3977e52c5d7456df1393885dd82 |
| SHA256 | 23e7c1c68cb86ea6d4b28ead076c71bc6fd0ac5661feedca6f53c5df99fd06d1 |
| SHA512 | 4d67874fc4d0df31f9b8293d62b69b491eb6a44cf129ba43e542d53794327cdb7eb1f602a0e1af0f6e706d94e9dba7c6d6a118ba1dba88eaf1559e009fc0a704 |
C:\Users\Admin\AppData\Local\Temp\RESA9CD.tmp
| MD5 | b4f199c8e0b24ad9275a0314caab9c0f |
| SHA1 | 476d9634c77f3e298bb3b3aacdf6601b106dd30d |
| SHA256 | 90f6109d4894e4af36253959862a4266cf6b52971ff25e81ba3147fceb179563 |
| SHA512 | df31d501528ed5e64d86e830e7d05ebceee009ecc1829701fa41960ca907f31812e4ee888198c9357b0b88680653243c3f64713f98f18b99e28fdc4f3013182b |
memory/384-18-0x0000000074A30000-0x0000000074FE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe
| MD5 | f6f3cfc918ecd30f912d6d265fc530a7 |
| SHA1 | 629e842e65c879fe4e1b1cbe4751ece658a2f1d1 |
| SHA256 | 7f9ba20e35a42b8bab954c1dbe72e608becb8dab7319fca20b7cbf23d5f2a143 |
| SHA512 | c3e12b753876d2005aa314605c73543e2d42f4cf5294659cec2dc6a38c9655357cbcc869aa861d01dbd1fbdcaba5beea4408a6df83d3b539203a27cf28eb331e |
memory/468-22-0x0000000074A30000-0x0000000074FE1000-memory.dmp
memory/2288-23-0x0000000074A30000-0x0000000074FE1000-memory.dmp
memory/2288-24-0x0000000074A30000-0x0000000074FE1000-memory.dmp
memory/2288-25-0x0000000074A30000-0x0000000074FE1000-memory.dmp
memory/2288-26-0x0000000074A30000-0x0000000074FE1000-memory.dmp
memory/2288-27-0x0000000074A30000-0x0000000074FE1000-memory.dmp