Analysis Overview
SHA256
dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5
Threat Level: Known bad
The file dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 14:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 14:55
Reported
2024-11-04 14:57
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe
"C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n1yil_ir.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC65C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC65B.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/1836-0-0x0000000074241000-0x0000000074242000-memory.dmp
memory/1836-1-0x0000000074240000-0x00000000747EB000-memory.dmp
memory/1836-2-0x0000000074240000-0x00000000747EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\n1yil_ir.cmdline
| MD5 | 918d3c699ca71d414f6d96e1d639b158 |
| SHA1 | 4c48583ff486735d7765a4d10ef1d680f5c1f28e |
| SHA256 | e771242c38c696e773981e78536f12280a7bf4177609be5ec3f74c43c54f8ea8 |
| SHA512 | 7503ac09c2f90e7e1f103031c91eddd2202ee43ed31b81fc9ae483627484603e644b22a831489e6cd7e3cc608076ab62d653c58822526e5ea3f889fefe46b4e9 |
memory/2416-8-0x0000000074240000-0x00000000747EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\n1yil_ir.0.vb
| MD5 | e05b7fdd37ffc0aecace2e225098ca47 |
| SHA1 | d4397b5629d3f10c313341f9b23b6381f8ae6be2 |
| SHA256 | d41e79c8c3f9e7457ed2c398d03d9b8d4610ef47a7cfe6351e0a64f539b6d293 |
| SHA512 | 52cdd855aa2868354e8f7150d50fd006c67295d88191fbc3a2d211fbd8daa493208d1da1590c040ab07c3e30863c61bac6ee7130b2b83196c4392c9c7b191355 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | a26b0f78faa3881bb6307a944b096e91 |
| SHA1 | 42b01830723bf07d14f3086fa83c4f74f5649368 |
| SHA256 | b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5 |
| SHA512 | a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c |
C:\Users\Admin\AppData\Local\Temp\vbcC65B.tmp
| MD5 | c501f6928a4c1bd13b2e781a74641ac1 |
| SHA1 | 55a4219aac852ec43115cd2882d8bf15cf68936b |
| SHA256 | ae8db389a144c975de6fbe39618f08fb443a4bb28c59a3207c9b448f9dec2260 |
| SHA512 | 7639effced40398df85287bcc6f0d202fa661759de91ea6f8afdd837c0e927d0f4a7fc4eb6087850197ba93b6b46c7c59623d4706db5ff88a69a7546776a1c59 |
C:\Users\Admin\AppData\Local\Temp\RESC65C.tmp
| MD5 | 22ffe6264ad77a377e85b810bdb2be96 |
| SHA1 | 68acbff65827bc43a7d57798341cd7321f451cd8 |
| SHA256 | f89f9e82d7d0ee3fcf84c48c8ab085da8b58841ede2fdefa9b0ada88f73d8fc0 |
| SHA512 | 13505c146bc27eae8655dce8406d1a39d6daa76fbf588ed99f5545a1aae896301129f930a29c29e7b405c3bcf2bcaa05b2d7652989c7b0604131aca75b3a7484 |
memory/2416-18-0x0000000074240000-0x00000000747EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe
| MD5 | 11b577655b9c35054a0edb8d7c188051 |
| SHA1 | 6990d678156fff24e314a55b29e11d2ee508b59b |
| SHA256 | 1102901fc056b15c60edd00c87e5bc8214704d7d001ccec7993e44efcf820198 |
| SHA512 | 09d8d5faa7bad1ff659c6bd3e3b9a8ea40908e106017ff8de958d0353c565b3b4cb33e57e97351a80288962304980321052036bc8d134e6b36b85372bbe5d91d |
memory/1836-24-0x0000000074240000-0x00000000747EB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 14:55
Reported
2024-11-04 14:57
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe
"C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wxt7oz4e.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF28E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9DD9AF7E7614E9BB82CE93FF5E0A552.TMP"
C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | tcp |
Files
memory/3356-0-0x0000000075302000-0x0000000075303000-memory.dmp
memory/3356-1-0x0000000075300000-0x00000000758B1000-memory.dmp
memory/3356-2-0x0000000075300000-0x00000000758B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wxt7oz4e.cmdline
| MD5 | 2c06bbd11e506b6794c1a775fcd86800 |
| SHA1 | b6380dbbb3e7a2eee53453810f34f4b1761e30ea |
| SHA256 | 4f6ed3469d7c70b328660f48880e75e34b3e7ecd852a1c9f12a40d371e8caf2b |
| SHA512 | 43162698c7f5a03f34f0c1a03ed2f3abb80feefb808cad0f648113290f0cea055507dc65a861bc0f259778e10b6e13e3950f7653d9a2c5552640aa9afa8baea4 |
memory/4824-9-0x0000000075300000-0x00000000758B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wxt7oz4e.0.vb
| MD5 | 09fad7aba36cdc1227ef37b4b69ab583 |
| SHA1 | 361f94ac7f244b7d590e1ca66cc9dfebc5080d92 |
| SHA256 | ab2b1f4191eb76180ab154e2ddd7901e7900cb26a6df55b7fa0a165ec3506be9 |
| SHA512 | 4dc97109c79cd015f19eeeeef41a76d8ccb570b6412e0314c13d8009acbf71bb3c42566a5eb490414e90e2a06e597d38d810b4753145f3646f4cff91085f02c7 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | a26b0f78faa3881bb6307a944b096e91 |
| SHA1 | 42b01830723bf07d14f3086fa83c4f74f5649368 |
| SHA256 | b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5 |
| SHA512 | a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c |
C:\Users\Admin\AppData\Local\Temp\vbc9DD9AF7E7614E9BB82CE93FF5E0A552.TMP
| MD5 | 71265b061be93a939ab31db4dc17336c |
| SHA1 | 3c59e735b90550f2d7cd6ba061d555f1affbb3cb |
| SHA256 | 7609834282fa09eb9af9b4b34ded8d924a23f42af46b282812ae2a43163687cc |
| SHA512 | 672398b16ec0f13f94a07ed6b170a9d9126ed561c5964b54c01e405155964a0c33c2f9b105e63576d879855f5bb0f646c23dd47303855fdf34612982bad059ce |
C:\Users\Admin\AppData\Local\Temp\RESF28E.tmp
| MD5 | e369f6c8cae764ae660e30432ccba239 |
| SHA1 | 029ea92d3570227852cd651eadce9f58c17cb5cb |
| SHA256 | 66b9096dfe938455a4e638dda4477731b467e87dcacec4cddd9d4b88acc2ebb6 |
| SHA512 | 11da37b11acf43acd23699c64b88eeb5f8f3950418fb8911bc1b76419a1c75ad3a71f89d1e0420c0bfae4352d398e20186941d703616a47c96dd7d90a4a3053e |
memory/4824-18-0x0000000075300000-0x00000000758B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe
| MD5 | 309e16c91f88babea2ed05f4e2282793 |
| SHA1 | 4619c0a562e0b1065a89b7cb81c3109b27b6fa17 |
| SHA256 | ec0155079b26696a43127f944553cfde0ed75f04177c9ac4433389ef6cf6a1b7 |
| SHA512 | 1b92eacb8a3ccc11334df9915d154255370e8e0bf6f12d88236bfeb2451bea3d07564e083b24e9622dd027437a147f2d0da7dc0183e4b311d07bcd08972cb4bb |
memory/3356-22-0x0000000075300000-0x00000000758B1000-memory.dmp
memory/4920-23-0x0000000075300000-0x00000000758B1000-memory.dmp
memory/4920-24-0x0000000075300000-0x00000000758B1000-memory.dmp
memory/4920-25-0x0000000075300000-0x00000000758B1000-memory.dmp
memory/4920-26-0x0000000075300000-0x00000000758B1000-memory.dmp
memory/4920-27-0x0000000075300000-0x00000000758B1000-memory.dmp
memory/4920-28-0x0000000075300000-0x00000000758B1000-memory.dmp