Analysis Overview
SHA256
79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78
Threat Level: Known bad
The file 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N was found to be: Known bad.
Malicious Activity Summary
Metamorpherrat family
MetamorpherRAT
Checks computer location settings
Uses the VBS compiler for execution
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 16:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 16:30
Reported
2024-11-05 16:32
Platform
win7-20241010-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe
"C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h-zcduz1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3CA.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe" C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | tcp |
Files
memory/2592-0-0x0000000074611000-0x0000000074612000-memory.dmp
memory/2592-1-0x0000000074610000-0x0000000074BBB000-memory.dmp
memory/2592-2-0x0000000074610000-0x0000000074BBB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\h-zcduz1.cmdline
| MD5 | dc2131c6d37380fc7f85a889c600e934 |
| SHA1 | 66a212bd740c5dfc8b723c35aaba75f0da0ec3ae |
| SHA256 | b2a99e26e10fbfdb54027828e073e4cc240a0a71075ff1128e9f076a5ce0b19d |
| SHA512 | 3c10f8edd720dd71a032756c32685ad375394742ac6607aaddf4adfedd785df421519e0082efcbd775cad372d2f730f98ebc585e4f840c0ad0ca4f6247fb0a7b |
memory/2236-8-0x0000000074610000-0x0000000074BBB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\h-zcduz1.0.vb
| MD5 | b52caa88377c43f99aa5dc03421017d8 |
| SHA1 | 36f1df4497a59005f891a0e1df1a13f1ed80f4b9 |
| SHA256 | 4e21eb92d0c2b10dc1221f259e5e8eafc622f1381c167acbb4dd6b7c3fbdc8b4 |
| SHA512 | d6ccb9a63fd7c55593ceeb198b680a7f813465a0ebb18c51666229d551b708d2d64975f4faeb1299fc82334e9a17da579ec992b8677ae2607e60d46d70b8079d |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | a26b0f78faa3881bb6307a944b096e91 |
| SHA1 | 42b01830723bf07d14f3086fa83c4f74f5649368 |
| SHA256 | b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5 |
| SHA512 | a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c |
C:\Users\Admin\AppData\Local\Temp\vbcE3CA.tmp
| MD5 | a9bf8a338e44936152cdbe18d49a8460 |
| SHA1 | 5af5a9684a59910976424e32a3c1d4b89021e6bd |
| SHA256 | 66147ee47b1c0ed25f548af4133fc372a849f2c91cf8404e6522ed957be96d50 |
| SHA512 | 731947c4b4af2055f1c46a701e0632b5a4fbfc2aae70211f045f1d62fd4272f492c74428ac37aff0834e18c1664d99b05283c82b1b25f4723944e6c0d07e0958 |
C:\Users\Admin\AppData\Local\Temp\RESE3CB.tmp
| MD5 | 27f87a2997031f2648f213b06c90e069 |
| SHA1 | bf1f763b8d4e9c112afaff1067786b2514cfec2a |
| SHA256 | 949aa95173884369733eaf092fb394104d2294b2ecd01bb0d8c7c218b0c52c29 |
| SHA512 | db95ea245664de3fe72663369c8d71090986a5f1d83648f7b69c8075a3eeebb375b7b19b37974db1bf836594d8311a0d8a835aed5132c2125fb448a1d7a4f91b |
memory/2236-18-0x0000000074610000-0x0000000074BBB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe
| MD5 | c84c1032b75b7f8d96ba99834ba0340f |
| SHA1 | 4c66ce7ba7cc80f0261dfa1ecf18c3b73a5c097f |
| SHA256 | 303b733ba5fb639dc23f8d70d64840b9728091999a9088e173c2e7d9d54f92c3 |
| SHA512 | c38d9a71aeb2d5d361338f613c36aa8d3a9c5f33d8345d1da04cb1168a19d28d6092b770ab0e3a40d218efb02aeb9a803b44b177d792229c0191f2e4895fd3db |
memory/2592-24-0x0000000074610000-0x0000000074BBB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 16:30
Reported
2024-11-05 16:32
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe
"C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wuiqwj99.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB856D972988A4663B2C2D461901BE83.TMP"
C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe" C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
Files
memory/4212-0-0x0000000075422000-0x0000000075423000-memory.dmp
memory/4212-1-0x0000000075420000-0x00000000759D1000-memory.dmp
memory/4212-2-0x0000000075420000-0x00000000759D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wuiqwj99.cmdline
| MD5 | b305d1708d66639051f2704c97c3f478 |
| SHA1 | 5c80804dd4f53fdb2973defc66b0113d498ef262 |
| SHA256 | db50c7ec77c01d341ffa342cdab5cf56641d301e4c783bed404d6ab85f9144fd |
| SHA512 | ff43cb09e3f3f361474d4d96d2062b5222f17e1d0e9ea7345b09b9be14236fa72fc23c3731eb0669c321155ef652b0a03592b2ef2002e35c8a42874a0a93ef46 |
memory/4252-8-0x0000000075420000-0x00000000759D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wuiqwj99.0.vb
| MD5 | 1a9a1dc13ec78d32e6354d8202e47bcb |
| SHA1 | 09c7cc0b3c3ea2abebc12ca956d7db5d1baa56e7 |
| SHA256 | 8342625acaa54212d902784f7b8ed0f444417553782a9133b419746cb90a38ce |
| SHA512 | f1525479c674087d4e402a38ec7a3fd2c3f64ca90162c0fda610ec90a55df7cf6c77f3521720f7ff20d234bbf72f3b277117eb31c663e68408a179bc9b1ab0a5 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | a26b0f78faa3881bb6307a944b096e91 |
| SHA1 | 42b01830723bf07d14f3086fa83c4f74f5649368 |
| SHA256 | b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5 |
| SHA512 | a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c |
C:\Users\Admin\AppData\Local\Temp\vbcB856D972988A4663B2C2D461901BE83.TMP
| MD5 | a2bd0bec68b080ec02724df82d6a3c4f |
| SHA1 | e67755c69f7f44c2e03c22d0751fdc30c8c111c8 |
| SHA256 | e41d8eef06fa954eda5b1c8f1b3ca0b5001ceef2d50865dd5902715dfea1f146 |
| SHA512 | a631708fc3ff9adbd0cf8ecb88154d13d612cdcd29f171010a6735b3ab90baa1f3929a0ea009fc7346aa988d41bf7273639eb51a3f3bc0342346246f27519c4a |
C:\Users\Admin\AppData\Local\Temp\RESB3DF.tmp
| MD5 | 578a841d41a2e63e6ac7ce63bb30d055 |
| SHA1 | a38a6e5d05d1ff20ffd8314e361c16d499288261 |
| SHA256 | c4faa0c14076530aa3b93f8c4a62c9d869c848da33fbcfbc4e682a23c8ec3230 |
| SHA512 | 39b601fde025d9d40fa1754ae280a734824c72ef5819d7271db2e89920dd6b32c14d43d6b2bc9a55f964fe7631bc45676e9304ef4df749151da364c81a8f7570 |
memory/4252-18-0x0000000075420000-0x00000000759D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe
| MD5 | 398ed26b419df131463cec052758452e |
| SHA1 | f4e0e4c273799e61e0a88fc5a620d96c9cd0cb71 |
| SHA256 | 374f18fa824b343892db689d9d8941cc53b5030d542b72a7ea28563fb1120afa |
| SHA512 | 2d3b274c32e7f8c5803945d9877e4c0b78f9f80348afe5d36fc020ad64239868462a8e3bb6feaf9e88a3855dcdea0c5290929b32061d67e2c8ed3a04cd1c118f |
memory/4212-23-0x0000000075420000-0x00000000759D1000-memory.dmp
memory/4056-22-0x0000000075420000-0x00000000759D1000-memory.dmp
memory/4056-24-0x0000000075420000-0x00000000759D1000-memory.dmp
memory/4056-25-0x0000000075420000-0x00000000759D1000-memory.dmp
memory/4056-26-0x0000000075420000-0x00000000759D1000-memory.dmp