Analysis Overview
SHA256
9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e
Threat Level: Known bad
The file 9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:45
Reported
2024-11-12 17:47
Platform
win7-20240729-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe
"C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zx68fljv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF51.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF50.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/2252-0-0x0000000074081000-0x0000000074082000-memory.dmp
memory/2252-1-0x0000000074080000-0x000000007462B000-memory.dmp
memory/2252-2-0x0000000074080000-0x000000007462B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zx68fljv.cmdline
| MD5 | 08b88f83a52a5c3633cafaad582779be |
| SHA1 | 1a5a455e44dfd8871f5069dcbb4bdb3ade56d4e3 |
| SHA256 | 981573e4c10b2f3d0edfe0d5120da2145e87659dbaaccb544b2c05b650807afd |
| SHA512 | d034bb5a344a1ad8c56569952dfcf5ea1c7c38904b2dd9d5500fea073d7fd868aca5364e2ab06ab00120272313767cfbfdd68ac46d2e4532289c4b58bf2b917a |
memory/2532-8-0x0000000074080000-0x000000007462B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zx68fljv.0.vb
| MD5 | 9cb585132d764c6e7685c96d70c49000 |
| SHA1 | 370a8bf7949da8226e214f718dfaf2ac7823bf61 |
| SHA256 | 4e181b2de6f3b7a8022f41f1893c3f64dd92f38eba8bb473f59cd5459d3b57e1 |
| SHA512 | 765f0883c4ddc234e2551fbd9fe3ac9ff1278a11f6b2cd6736dec5a029687e40747eaa44209a0ac0809fc5b05d42b7d6bfa55e5c0e5249adbf4d0483c61df644 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8008b17644b64cea2613d47c30c6e9f4 |
| SHA1 | 4cd2935358e7a306af6aac6d1c0e495535bd5b32 |
| SHA256 | fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55 |
| SHA512 | 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea |
C:\Users\Admin\AppData\Local\Temp\vbcCF50.tmp
| MD5 | ef24f9c9823a8fb5fde78d33ca96ce4b |
| SHA1 | 9e152e866de05635db9dfd076eeb3f8995abdbcd |
| SHA256 | 9e65371f6e5b90933406a43c06eec68d800784e4185ccb74bbc67b70adc8f933 |
| SHA512 | e296749ebe7d94d4c4ca0a16e4d4567009906c4524ab15b756fdc47c4f74d7973b7e0ad3bd590e80390ac665871426dd7e6631f47d05dabf90b966e07e620835 |
C:\Users\Admin\AppData\Local\Temp\RESCF51.tmp
| MD5 | fd01e5a9fd9b76b3055c9c6f693cd050 |
| SHA1 | 7f0ec189162fd6f0d732a0c8a24eac6d48f65307 |
| SHA256 | efc66a8460bccdad270955bbe310af389e4ed4880909754fe230f958beb0fa63 |
| SHA512 | b6862b1ca1304d7a2bbe29e3208651d034e384be0206d576dd52cf29114075bfac7be15be7ba53c44f8fda513665b60cc2e3f4c14bff57104634e12681dcdffe |
memory/2532-18-0x0000000074080000-0x000000007462B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe
| MD5 | 7e2be1392abf487db4c2cbf7332a645d |
| SHA1 | 3dbaeca7ae94ee4c89363ded82505ad4237fdd1b |
| SHA256 | 07f59f66f6b6ae8e2fea3061122a5fef6cc1fed925a27b4357b2babbd0a818ca |
| SHA512 | 0870a6d38c6a8f6fc17039c4264e224797636caff9779352dcdac32b39d6cbfa0e5dbeedf835dcba786aa2347b298163383f9fcd9b9ce5dee61be8960790bf5e |
memory/2252-23-0x0000000074080000-0x000000007462B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:45
Reported
2024-11-12 17:47
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
129s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe
"C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7v9brzly.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB13F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB54CD2D6FC754543883E6CEAC16C36D4.TMP"
C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/2732-0-0x0000000074D22000-0x0000000074D23000-memory.dmp
memory/2732-1-0x0000000074D20000-0x00000000752D1000-memory.dmp
memory/2732-2-0x0000000074D20000-0x00000000752D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7v9brzly.cmdline
| MD5 | 1856ad133ef75e98365027069052c4f7 |
| SHA1 | 1ee2c0054f6321bb419319b03f673a58adaeaf5b |
| SHA256 | c88e1129f0c9b0b15f1eb8944115dcf8e65e763d3a012b76c23fb8e4ad955abf |
| SHA512 | 7e312a7eb5936cc9ae365bac29160ceca1d76b925d9f34887867cbbdfc93610199513396064b2ea063f033191d895c3b461cc96471f3dc15ad783f5cd761cba6 |
C:\Users\Admin\AppData\Local\Temp\7v9brzly.0.vb
| MD5 | bc0b6d21604a9f9154451acaa84da6db |
| SHA1 | ddbb3a3b0cb485270c148db0ac5c149b5002b5dd |
| SHA256 | 5d21d2a034f25bcdb21bccbcbb14fe4179e0a356d53f4da88c00c0f5d14139a1 |
| SHA512 | 2246f79b2aa350d8e51a941998774e5dd35218d059a56cfa5b9c1efad4063cdc3928eec6e7723e00a427a806f8a60c0e2872ada4828bef81a27bfa030d00399f |
memory/424-8-0x0000000074D20000-0x00000000752D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8008b17644b64cea2613d47c30c6e9f4 |
| SHA1 | 4cd2935358e7a306af6aac6d1c0e495535bd5b32 |
| SHA256 | fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55 |
| SHA512 | 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea |
C:\Users\Admin\AppData\Local\Temp\vbcB54CD2D6FC754543883E6CEAC16C36D4.TMP
| MD5 | 5790b4ff0d14ddd16bb5adbae9af599f |
| SHA1 | 69e749aecddcb55f6a45913f59614f973b83db13 |
| SHA256 | bc86d661283a7d461276035a636f51297cdacb9f6e301a94f90e5187818c4789 |
| SHA512 | f8d5cc53bed31dc495f5df46be8d82064e4835e408809cfa8f58b07db7a1dde7b9d0723b40cbcff36f0e19dfe609218f140e892933e89577a10291aefc6b1fc8 |
C:\Users\Admin\AppData\Local\Temp\RESB13F.tmp
| MD5 | 83350de4f6e6164b1bd80f72f9979c63 |
| SHA1 | 7c5fc6724ded101d8d46dc9e245d6f2b981f2baa |
| SHA256 | 976e51a668a962cef77e68adef3a7600220e84a72e7251ba4f3f02cbd1085c19 |
| SHA512 | 0eb4caa95b57bd86f62cad20bb2fe10722c1d5497605c28e7d77886e6f1b83886b36957e1150937c5f475eff15cce0b633969d4eb587996235d84958e8dfda30 |
memory/424-18-0x0000000074D20000-0x00000000752D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe
| MD5 | 4e96e4a9bd0f042f0fe76462666a19de |
| SHA1 | 069112f0f37fec4230ec59223403e86699c95064 |
| SHA256 | 1ad0593d956c45532dc8f720931706268aea52d775e80332971f5db95718bf2a |
| SHA512 | a0050b5e3b54ba6a85f6cce4e34be8586c3ac394ffe0bbad7aa000edee62abfe5dd6b93073d3a5707dac05278b0e7582284c4fde6c9f1bc38447794e19838d81 |
memory/2732-22-0x0000000074D20000-0x00000000752D1000-memory.dmp
memory/4192-23-0x0000000074D20000-0x00000000752D1000-memory.dmp
memory/4192-24-0x0000000074D20000-0x00000000752D1000-memory.dmp
memory/4192-25-0x0000000074D20000-0x00000000752D1000-memory.dmp
memory/4192-26-0x0000000074D20000-0x00000000752D1000-memory.dmp
memory/4192-27-0x0000000074D20000-0x00000000752D1000-memory.dmp