Analysis Overview
SHA256
9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4
Threat Level: Known bad
The file 9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
Uses the VBS compiler for execution
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 00:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 00:45
Reported
2024-11-13 00:47
Platform
win7-20240729-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpC967.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpC967.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpC967.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe
"C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_pzjaxil.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB1C.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpC967.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC967.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | tcp |
Files
memory/2172-0-0x0000000074081000-0x0000000074082000-memory.dmp
memory/2172-1-0x0000000074080000-0x000000007462B000-memory.dmp
memory/2172-2-0x0000000074080000-0x000000007462B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_pzjaxil.cmdline
| MD5 | 1ef814cd22085b729f0df630aa6d509f |
| SHA1 | 03f6606cb81e058b82e8997e27bdcb7bdc48a0c7 |
| SHA256 | 5dff0f797e2e6981d121d9146a8f633755a8b84207180a88fadaf6134e4f4221 |
| SHA512 | 0610a2ca4c04aeeb28a180ee78370ba8f23f46afb662929c90d47443ebaaef0170c3554cf63099db2148c7a70860fa2748be54e35a73955db29c53d3a7d7bacf |
memory/2404-8-0x0000000074080000-0x000000007462B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_pzjaxil.0.vb
| MD5 | 7bfd9c1fa8f2da0e11620903ae76f361 |
| SHA1 | 482ac387378022428d780c0f86d052d816e8a1cf |
| SHA256 | 658a80294a66fd564f95c0eb63d97b6b1906dafd0a61096abd514b22d5972598 |
| SHA512 | d01c3495588382cb9a76b7d3f0946bb9d16db88e27ee18fa90ac2fa4c144e93aa18e57e0c26d5aff0a8e8e6606b6606b83e7d57738e90f553a83babf60b4a1e6 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8008b17644b64cea2613d47c30c6e9f4 |
| SHA1 | 4cd2935358e7a306af6aac6d1c0e495535bd5b32 |
| SHA256 | fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55 |
| SHA512 | 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea |
C:\Users\Admin\AppData\Local\Temp\vbcCB1C.tmp
| MD5 | 875d778be3b026c2cbc338a8ffa4525a |
| SHA1 | 3c9f715629a286a2bcdcccfd5c39c1e0647c01a9 |
| SHA256 | 3462650f1dea4885f6e1e8c3d4c44fa3192f786e3a3e8833e077d410574ef618 |
| SHA512 | bcb14b4283e1e8aca10292abb5b30ac658ab8b73a1de0e77dd1547063f1e034103065debc55ad00e6db08a70685769cfc126eff5754df303e6fabfd97b585777 |
C:\Users\Admin\AppData\Local\Temp\RESCB1D.tmp
| MD5 | df4ddc9aa9764e4948d53e8005ef0427 |
| SHA1 | e06f6c879fdda0a7e1918d0ab9958e426f29544a |
| SHA256 | be646ca952535dfd5956c0f7aafb827f3521d8d38295e84f17a7150476b3776d |
| SHA512 | ed22eda4dc11301dae50d8c9b7d8c5bc499ca07c31f3bef36ac1d672a304bf957b18f67c2783c6abe6e86d59ff4fefc6dafd9056fdcb16edd33bab6df2ea7a22 |
memory/2404-18-0x0000000074080000-0x000000007462B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC967.tmp.exe
| MD5 | 12bac69a8a1456423ca90b98df19dbae |
| SHA1 | 520c948e875738778b53e166139e0e1bb66a8dcf |
| SHA256 | 9f16929a20a4f3147230d15d5d81bdc95738697cada3a940756b974578f5ba0f |
| SHA512 | fa47d09e39c1fdd7a871843daf88cdd18b65d2a2d6e7063413edcfe87b70a54bad386e0094395d5e29e35e21ec5194b30c5f693f0636f978632bcefca0476721 |
memory/2172-23-0x0000000074080000-0x000000007462B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 00:45
Reported
2024-11-13 00:47
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe
"C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oi6to-vh.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB32D55AA86C427C8EF7777DA2C39ED4.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | simrat.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/3608-0-0x0000000074892000-0x0000000074893000-memory.dmp
memory/3608-1-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/3608-2-0x0000000074890000-0x0000000074E41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oi6to-vh.cmdline
| MD5 | d610c8d7dcaa3aeea411cec96e4924c1 |
| SHA1 | d5e7e9e626bdd7540f33b63db396eafa92ce874c |
| SHA256 | 81b1eae818e434a62b242964a9b54fa26a634190aaba2015438ae0753a746e2e |
| SHA512 | aaa6d50685036c1eeeb6057bbdc9dd768eb733649eef19f209ff11c48c037ff691d20971d621e18348b5611ce5ec8175bad11c71cc1f85f47f4536234eb8274d |
C:\Users\Admin\AppData\Local\Temp\oi6to-vh.0.vb
| MD5 | d858874e6fedd9dcd36f7782d84304fa |
| SHA1 | 82aa28fe8e5acaca1782cb8b66cc40331481f8b1 |
| SHA256 | cb1a74e2d2bc97c765246b0e708343423727a14bd90b6321a798770af510bcdd |
| SHA512 | bc44d3f5b32d6508f9e7950a8b872c4f153b133048519f984d8468df07bf7c7f8e5b2714f14f47d5db899baadef3c859fe5f49299f732d9c048a5fd2f5feb390 |
memory/4172-9-0x0000000074890000-0x0000000074E41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8008b17644b64cea2613d47c30c6e9f4 |
| SHA1 | 4cd2935358e7a306af6aac6d1c0e495535bd5b32 |
| SHA256 | fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55 |
| SHA512 | 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea |
C:\Users\Admin\AppData\Local\Temp\vbcDB32D55AA86C427C8EF7777DA2C39ED4.TMP
| MD5 | e9d7619c1d2546e2dab4628ae1f0ea1c |
| SHA1 | 29a59d5f2898abdc304d38b31527f231554eab63 |
| SHA256 | d1e956b1bfca28ee13b6fe03ee4a5f603b54a6603ddad4a17faacaec5131900c |
| SHA512 | 9aa985f1fc3a03b96c7484b8d1a594427cce6ded3f62ec10607349d1a6a2e77c570e27a7b2495c9bcf6224420f8fd78ebd94a9e057d54381c4d96c8a6e51affc |
C:\Users\Admin\AppData\Local\Temp\RES6E3B.tmp
| MD5 | 79d8952620bf6d0995f99593c375df94 |
| SHA1 | 4936833786c64491698fcf7605ddde5059388e94 |
| SHA256 | 90bd4ca85f725de8680141ec1e1ab57027261c4d5e8a89c72744265399aef86f |
| SHA512 | e34a0b07ac491e0c4487cd3782c23a3240507610a34a433497a72fba584236d0ab4eae2112267cb36db81a7456f9166e43604f949d895c4aff0ea64002ad0d7d |
memory/4172-18-0x0000000074890000-0x0000000074E41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.exe
| MD5 | 98dc8f8e9150e5a85ef5e27e0b8066ca |
| SHA1 | 9f3453d995835080d4970a51d4e7998c933ff571 |
| SHA256 | 66d54a16dd19741c0015b91c929d114f26cda37fa0d95761636acc8dc2ce96aa |
| SHA512 | 6d188b42c56b8528d7ca342d05d4a8a0c6c67eec0774a0250567af54fb72c883474d3812ad03dae7dad586d4185e3692f5041b350a0a865c994c6079ff7ef7ab |
memory/3608-22-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/5108-23-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/5108-24-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/5108-25-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/5108-26-0x0000000074890000-0x0000000074E41000-memory.dmp
memory/5108-27-0x0000000074890000-0x0000000074E41000-memory.dmp