Analysis Overview
SHA256
5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530d
Threat Level: Known bad
The file 5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Uses the VBS compiler for execution
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Deletes itself
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 17:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 17:00
Reported
2024-11-10 17:02
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe
"C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qjqwuokn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CE.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/1564-0-0x0000000074571000-0x0000000074572000-memory.dmp
memory/1564-2-0x0000000074570000-0x0000000074B1B000-memory.dmp
memory/1564-3-0x0000000074570000-0x0000000074B1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qjqwuokn.cmdline
| MD5 | 75cd06a1b925fb38c0e4007f30db6216 |
| SHA1 | aa8c4c0edf4e72281587e63aa16542f1a785b3da |
| SHA256 | a7bf52f754ef16b2b20417befc6c15f25ae6d1bd4001e3bd4f60e5ebd5ca6c99 |
| SHA512 | 809fe440e96044ebfae67fa026c6e05b657cf463cb0b4d560a5cd6c4916505e07110f5e4385b580e8915f6367e284c669b5de5c65d3a1501c91f48e7a2a3b912 |
memory/2548-8-0x0000000074570000-0x0000000074B1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qjqwuokn.0.vb
| MD5 | e5efca5b95107a7f079a43a6d582cc05 |
| SHA1 | e5870fac1097d5988460c399e3d6a21f14fe3cd6 |
| SHA256 | 247fbe93d6ed2f1b0481c8d06abd656ec0db1b6485d7c591c114bf38792a106a |
| SHA512 | 1b66154d0dd94613106dc28188dff108ee64e8f3053d129270adeadc7799c2422ce68413d9f560dd19436d0633fc91d11cf964265cbb4b1d63cc408c81c46add |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8fd8e054ba10661e530e54511658ac20 |
| SHA1 | 72911622012ddf68f95c1e1424894ecb4442e6fd |
| SHA256 | 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7 |
| SHA512 | c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c |
C:\Users\Admin\AppData\Local\Temp\vbc2CE.tmp
| MD5 | c358198688a140b94fc3585cf86be5d9 |
| SHA1 | c58f405925cef1690b22f43046b7e16bdd32c1df |
| SHA256 | 69dcb6778f6aaa1c49e64fecbd5429d32b05098871fd95651fac8dd8f1301b78 |
| SHA512 | 0d3d54611c8acfe8108a6b78155b06d09a5ac80a8c987426a6f1e2c1c55877e2be9d9a790968b096806a29eebcff627ff85fd6a504e98f60740d44c19fc00ab3 |
C:\Users\Admin\AppData\Local\Temp\RES2CF.tmp
| MD5 | b6a9db8a3ec3dbe72e701527379b00c6 |
| SHA1 | 338a3119397ce02ebf3e00399d309d6d236da490 |
| SHA256 | c902e2de0114c880a3aec040a585dca4ab11d7780117849ad2ae119d558c2162 |
| SHA512 | 8109237785ca6559b5b31ce8cc3276e468f8461326289058bddde0576ea35b1ff45e6f7a3e3f9b282da4a2cbd346e026cedf87d1c09471ab6273dc8fc431c561 |
memory/2548-18-0x0000000074570000-0x0000000074B1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe
| MD5 | 1c749eb49c53931306d40063e1933744 |
| SHA1 | 4eeec30480d14e17804e5f02164c51a4d45dc550 |
| SHA256 | 314a625ada99172ff18633c2b251dd37de955109b00698c106b04b2432742765 |
| SHA512 | c5a005020628c6f1bc766a082c449878e1ccd1cb3cee192bf320147c6bbbb1a414675b514449eede09bbed4e2b542db2e92c934fe7296b72476a3a5a0f5252d9 |
memory/1564-24-0x0000000074570000-0x0000000074B1B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 17:00
Reported
2024-11-10 17:02
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe
"C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ehgogi6h.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA596.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50B84AF97A4C3C9EC86E115E5BF4F5.TMP"
C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/3600-0-0x0000000074B92000-0x0000000074B93000-memory.dmp
memory/3600-1-0x0000000074B90000-0x0000000075141000-memory.dmp
memory/3600-2-0x0000000074B90000-0x0000000075141000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ehgogi6h.cmdline
| MD5 | 01558bc62c63242a6661b44b7813985d |
| SHA1 | 24ea7eab557691dedfcb6a51cb17f39a8f76b88d |
| SHA256 | 117d49e47ad475ca0add2f082b899af1b3d688af1c969594ebfe8cce43e96425 |
| SHA512 | 394e5ec9cf00971f29dde548f3a1e8167b24330cfe86d1e9f8122c67fdc5d01401ef8ed25e8f8848fd466defe2f977a2b4419ba784530dd1e711a4937a0f18db |
C:\Users\Admin\AppData\Local\Temp\ehgogi6h.0.vb
| MD5 | 162f74758670b65dbc0d419b01ab078f |
| SHA1 | 4ad252fe2d4f575f703a7c5670474648a586300d |
| SHA256 | 18c984575a4a581955cba85e5351a64283e7dbd3b02628c195c675d25467b638 |
| SHA512 | 02e986b1b43166398c1fe42c1c2c9062294785b0e7bb8e7a17e3fa0281273df66ec1afcdc883746a426fa2b721baf30e0f64fd4c79da23132473efb1fdc967ff |
memory/1100-9-0x0000000074B90000-0x0000000075141000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8fd8e054ba10661e530e54511658ac20 |
| SHA1 | 72911622012ddf68f95c1e1424894ecb4442e6fd |
| SHA256 | 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7 |
| SHA512 | c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c |
C:\Users\Admin\AppData\Local\Temp\vbc50B84AF97A4C3C9EC86E115E5BF4F5.TMP
| MD5 | 56dc57a2daa7ed585c60f7e9f5501951 |
| SHA1 | b6ea53163ab4ac7b54985153debac8b7ba1955ca |
| SHA256 | 1da41e59fb9c7c5fa25de3ed4b002bfa3c51537b8ff34e9db9f3f69a4eef9658 |
| SHA512 | e47a8924ef4132cdca8362273c6745e9307dd5d1eda6b3ddef2cc3a58ea0b11be9650176b3072ccebb55ae4b65a370da4ad378280c4b71226d5a906a90c84374 |
C:\Users\Admin\AppData\Local\Temp\RESA596.tmp
| MD5 | efc3f15e84541a00465313bb57b68270 |
| SHA1 | 7ff928dd192046f3e65fa410a79f175603f43ea7 |
| SHA256 | 93097f22c736695933652a5fa64aca4921568e5879725be87231ee2c1df4d80d |
| SHA512 | 5795fbc233c9d5981b5d2e7aab76fd34442ee3eec4094379ccfcddb1573c87f4b680bd6d79c7c98b4a14301803f79354e52a076524bde5db35213a8839bf7506 |
memory/1100-18-0x0000000074B90000-0x0000000075141000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe
| MD5 | d79406ef03f110f019b286e354d82f67 |
| SHA1 | 9f2b660dcd34cce7d0c63c87d8912a0c0c8aa3bd |
| SHA256 | 53eb93b83b06510ce861966047204e9a66c64a634d83df8c046bdc6ab91175d4 |
| SHA512 | b08bdb6eecb0f74d15afbb04f3c53de04b234af945dcba71f37ce36535c8a9d51fa4d2e92076fda30ff730f052e94c710c1719f4e8001821c20cea2d8f9a3b26 |
memory/4212-22-0x0000000074B90000-0x0000000075141000-memory.dmp
memory/3600-23-0x0000000074B90000-0x0000000075141000-memory.dmp
memory/4212-24-0x0000000074B90000-0x0000000075141000-memory.dmp
memory/4212-26-0x0000000074B90000-0x0000000075141000-memory.dmp
memory/4212-27-0x0000000074B90000-0x0000000075141000-memory.dmp
memory/4212-28-0x0000000074B90000-0x0000000075141000-memory.dmp