Analysis Overview
SHA256
84680d2c6906ad6351539248ca84bacbb19aa45ee9b820e70d27021b9c24d59f
Threat Level: Known bad
The file 84680d2c6906ad6351539248ca84bacbb19aa45ee9b820e70d27021b9c24d59fN.exe was found to be: Known bad.
Malicious Activity Summary
Metamorpherrat family
MetamorpherRAT
Executes dropped EXE
Checks computer location settings
Deletes itself
Loads dropped DLL
Uses the VBS compiler for execution
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 21:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 21:38
Reported
2024-11-12 21:40
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpE1F6.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84680d2c6906ad6351539248ca84bacbb19aa45ee9b820e70d27021b9c24d59fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84680d2c6906ad6351539248ca84bacbb19aa45ee9b820e70d27021b9c24d59fN.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpE1F6.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\84680d2c6906ad6351539248ca84bacbb19aa45ee9b820e70d27021b9c24d59fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpE1F6.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\84680d2c6906ad6351539248ca84bacbb19aa45ee9b820e70d27021b9c24d59fN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpE1F6.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\84680d2c6906ad6351539248ca84bacbb19aa45ee9b820e70d27021b9c24d59fN.exe
"C:\Users\Admin\AppData\Local\Temp\84680d2c6906ad6351539248ca84bacbb19aa45ee9b820e70d27021b9c24d59fN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pmp28a1z.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2C1.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpE1F6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE1F6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\84680d2c6906ad6351539248ca84bacbb19aa45ee9b820e70d27021b9c24d59fN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/1636-0-0x0000000074F01000-0x0000000074F02000-memory.dmp
memory/1636-1-0x0000000074F00000-0x00000000754AB000-memory.dmp
memory/1636-2-0x0000000074F00000-0x00000000754AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pmp28a1z.cmdline
| MD5 | 8fc5ab83433524a448e8455512a134d0 |
| SHA1 | 9a944b26ad37f80df731b5de848cba9c40b1d2df |
| SHA256 | e7d18fe25b127e684fcc9d94cb8ff413ea77dcf37dbbded5f3bbf631c54a129e |
| SHA512 | 48bdf20b14c45de9058cce81ac8428eead3f36d5646ff9f864a2e4b3b4db8f68bf3858542fc57b3bd69784c67bea6309cf44678c75d646e50c73c7e16ecd07e1 |
memory/1200-8-0x0000000074F00000-0x00000000754AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pmp28a1z.0.vb
| MD5 | 1d1d62a1eca9468b67a66ab956595627 |
| SHA1 | 61a11ff1a2244e2a601e4b38c5df92a951503a77 |
| SHA256 | d1ecf662c43d4144cd96723ddf2995924f15de910584e8dba365243da8207285 |
| SHA512 | 7d7c8a909109cb0f207f22f4c48d184c6649e314c01adf03807dbcc3a8c7dcf6fe92c7b8328ad15f4856eed5f289c9811ad6a948674dcb2445fd3f72aaa76f3f |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8fd8e054ba10661e530e54511658ac20 |
| SHA1 | 72911622012ddf68f95c1e1424894ecb4442e6fd |
| SHA256 | 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7 |
| SHA512 | c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c |
C:\Users\Admin\AppData\Local\Temp\vbcE2C1.tmp
| MD5 | 5fc5d05502e6d54da6f790750319a8e1 |
| SHA1 | 40ced5f0bf5f0cc0ace82c49470c7c73d91e7f1e |
| SHA256 | 6ba04ee6d4c7120ffac455067e0e9ed8f879ede7050af4a7cab7f3fc9c32db4f |
| SHA512 | c006f4859de205afdbe4d27ac3290d816add3b6d38f2dcd80c989075e3401f4e07438fa0b51ce4677bcece6b4a30e07a015d3add26178157544e46cf7313fcc7 |
C:\Users\Admin\AppData\Local\Temp\RESE2C2.tmp
| MD5 | 9e27fd85155dc2b55b6283d4ad4d4398 |
| SHA1 | e58337bdae791e51716544368b05e11070c59e9a |
| SHA256 | 5fc076a2615cd2ffbabec00f0a324ae1926f7c26ad5aa8397b2330316c8ddae0 |
| SHA512 | c7b2f3c025f911743beee425233f18f44c0872a87ea912dffb4f73ee27925bc91231c056e83ec607aea5539a38647d5de0f5a24f169403b06985b7c805f7aa1b |
memory/1200-18-0x0000000074F00000-0x00000000754AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE1F6.tmp.exe
| MD5 | 68a541a60aaeabb22716f94f874af38e |
| SHA1 | 38a296c992b16d2d8ad98e6d141de74e48191784 |
| SHA256 | c7746a04e73be4305e8e9a0af2665a7cb75e58000a67586ff2dba972900c2cb9 |
| SHA512 | 8faed21f00977dd42a760b8019ce329624d060aeb409e65cf4670b4e89898375915c1b56d72e7c4d569451ce6d0a04754aab902148bdd502ff9388e2c6153ed7 |
memory/1636-24-0x0000000074F00000-0x00000000754AB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 21:38
Reported
2024-11-12 21:40
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\84680d2c6906ad6351539248ca84bacbb19aa45ee9b820e70d27021b9c24d59fN.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\84680d2c6906ad6351539248ca84bacbb19aa45ee9b820e70d27021b9c24d59fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\84680d2c6906ad6351539248ca84bacbb19aa45ee9b820e70d27021b9c24d59fN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\84680d2c6906ad6351539248ca84bacbb19aa45ee9b820e70d27021b9c24d59fN.exe
"C:\Users\Admin\AppData\Local\Temp\84680d2c6906ad6351539248ca84bacbb19aa45ee9b820e70d27021b9c24d59fN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jv7ejkci.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91B1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF6A2D067AFFF46E3972E892C126546C5.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp.exe" C:\Users\Admin\AppData\Local\Temp\84680d2c6906ad6351539248ca84bacbb19aa45ee9b820e70d27021b9c24d59fN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/3908-0-0x0000000075082000-0x0000000075083000-memory.dmp
memory/3908-1-0x0000000075080000-0x0000000075631000-memory.dmp
memory/3908-2-0x0000000075080000-0x0000000075631000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jv7ejkci.cmdline
| MD5 | 756a33f8327458061146aea92aa36c78 |
| SHA1 | 0f2548fd0458cc0109c3df572c88d50e443a3601 |
| SHA256 | 0d40e65c748898880e9390645917d43a1cdfb95eec1dd6c7fb2f8f3ecfb8e3c7 |
| SHA512 | d823b253ee313b81d9a24ffd02a6442e7c132dd5170709b794243ba3c014fd0648792a8adf1d3e8713293d669fface00d3aa44fb103762fdb11e849518c93b62 |
memory/4104-8-0x0000000075080000-0x0000000075631000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jv7ejkci.0.vb
| MD5 | a6d62e96e0c9108ce85e02f157f6dd57 |
| SHA1 | 9b77fc35609d178ae0bb7b0668c491072df2ccd7 |
| SHA256 | b6a6080825f1aa797fb6cf98c67797d1748bd6fc4109703f4449595396715692 |
| SHA512 | f74bedc56c381ae008c1f5604d01fe4de464b16b9c86cee185b11cebc2d1c65de93a3627dd0be14582651151bf5e6459f42545680ab1332bf870407fcce5eb41 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8fd8e054ba10661e530e54511658ac20 |
| SHA1 | 72911622012ddf68f95c1e1424894ecb4442e6fd |
| SHA256 | 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7 |
| SHA512 | c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c |
C:\Users\Admin\AppData\Local\Temp\vbcF6A2D067AFFF46E3972E892C126546C5.TMP
| MD5 | 46a9a1d65891d7131dd5286f52c6203e |
| SHA1 | a6fe8efcca856334b1f8b9a35627654d699f0d1c |
| SHA256 | e7abe5e7c2ab777e3fc56a8b4cefc61d29c8b16d3517961ae0cca57855ce1584 |
| SHA512 | 5a70bda074f6c31fca36e61a7958a07c770ad8225d0cd84ecae2355b4fa1a02abde1781822b644fab128a416ee1be2626bf177d53e9b10ae9ef9858bcb7e059f |
C:\Users\Admin\AppData\Local\Temp\RES91B1.tmp
| MD5 | a12245a0a042b915c6cbd64e52284d96 |
| SHA1 | 8f3099bcb4e566420a73bfa3fa1d92ebfc51966c |
| SHA256 | a225731e72564d6b313111ad1a61f645dfb456e286914391d38454c13c9eace3 |
| SHA512 | daf90d3ab9817d4ce7ad2da422a86c932e3ebe393a424ea4a377156de40a92ded3d0516cbf80424bf92ae54ce89094f1a93d0915618c8397501d5a07c6127727 |
memory/4104-18-0x0000000075080000-0x0000000075631000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp.exe
| MD5 | b1c2a3eb0e1b78b4f3910703b1686521 |
| SHA1 | 55b2744eaa0b91db8cb6472887ba6e7eac679ce3 |
| SHA256 | bf7013ff024f58ecd237918c3bfb4b6027c7a67b2be1970b1f1736212d3fdf1e |
| SHA512 | a8a5240d94bbc7700657dd8aad13cbb0724ec794c7f1fd9742d1982c8c21d873c0b337be91d5ddedbfbaa6ec74749d799f11ef790971d7fa58ad3bf631fdaa81 |
memory/3908-22-0x0000000075080000-0x0000000075631000-memory.dmp
memory/208-23-0x0000000075080000-0x0000000075631000-memory.dmp
memory/208-24-0x0000000075080000-0x0000000075631000-memory.dmp
memory/208-26-0x0000000075080000-0x0000000075631000-memory.dmp
memory/208-27-0x0000000075080000-0x0000000075631000-memory.dmp
memory/208-28-0x0000000075080000-0x0000000075631000-memory.dmp