Analysis Overview
SHA256
9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92
Threat Level: Known bad
The file 9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Deletes itself
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 10:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 10:41
Reported
2024-11-09 10:43
Platform
win7-20241010-en
Max time kernel
115s
Max time network
120s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp928F.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp928F.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp928F.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp928F.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe
"C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k5w_dckc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93E6.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp928F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp928F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/2500-0-0x0000000074951000-0x0000000074952000-memory.dmp
memory/2500-1-0x0000000074950000-0x0000000074EFB000-memory.dmp
memory/2500-2-0x0000000074950000-0x0000000074EFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\k5w_dckc.cmdline
| MD5 | 6c4040ebd713f039f3f68b65a3defa88 |
| SHA1 | b27f6b649440a28b2f368ffa6b9a27a6cee391ed |
| SHA256 | 4989346cf273f22ec92188b6afd7c3ec962853f067e0a32c04991d286ab7dc8b |
| SHA512 | de3f430fe215e1eaa7ded4558f46c9fca33ce8534591b1d3da7d16bf16c36a16d9a64ca1bfb79f38aa6bbc92d9e1013073ca6a2bfdc25a02fd1d89cbeb52d34a |
memory/2404-8-0x0000000074950000-0x0000000074EFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\k5w_dckc.0.vb
| MD5 | 8ecbcd87d9e82de00e44e8c77313199e |
| SHA1 | f7800c411122e136c34ec3b221564fbbc0c6875f |
| SHA256 | 944a479475a2085a7f6d331363017a1763cb5686c0f826bc296359753c3e2f66 |
| SHA512 | e2bb8f0a76e2b8e01f258e62b6a4ba1bbd0d07d29c004c4ead64ece7fbf1bea085ad00aef63bcbc09d0718f2cd4d9c48fcba9287b2d16894c4fefb31cf8e9eea |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | a26b0f78faa3881bb6307a944b096e91 |
| SHA1 | 42b01830723bf07d14f3086fa83c4f74f5649368 |
| SHA256 | b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5 |
| SHA512 | a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c |
C:\Users\Admin\AppData\Local\Temp\vbc93E6.tmp
| MD5 | 0a09da9fd949d30b30231c3d4c073287 |
| SHA1 | 4f1b27a18a9a844c67f8604872abeb199d9707e8 |
| SHA256 | 7366e1cc2b4fedb8e4e10de5674072c567ff7d9c3027c42a0c733d3f8920273f |
| SHA512 | e2a76b19cc770c1d6433584aacd56d522e9ac1cee88fd3298b0e9087a018c3f3809a7265555f860e94638c52012e74cb832ffa84c906fe90825e2ccf1ed9916c |
C:\Users\Admin\AppData\Local\Temp\RES93E7.tmp
| MD5 | b12a78782a36fcaa5b826e308e1bb4af |
| SHA1 | 86b84434f3da5047deba1e88a6a196c2e2a54813 |
| SHA256 | afccc870190009a5fbd1383fe56b7567bd258ed35ef1a3da63377835a54f2b7d |
| SHA512 | d8d9779a74599539c5e627551654f93f5fd2c230a2e4b51d29b6ed4dcaee95324e295c40117f3666033d57e289b05e347f13023e4bca701b86a9640dc9af2522 |
memory/2404-18-0x0000000074950000-0x0000000074EFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp928F.tmp.exe
| MD5 | b261b8a739d94a56447f6d7a465618e6 |
| SHA1 | f37bf864020ae24403fe19251bfffedb9bc7249f |
| SHA256 | 810a70d4524b4d42345b1be9c771e0cbb10df8afb972eecebf2b2a3d8423f54f |
| SHA512 | 1b6bae981cfb6e2307e835e9c53a9841b6964417f4d650fd3ab15cbd29dcd51693dde2ede31b2a6bda668d051e508cce5538d3ffda4bdd9c4c98b8d28425ebee |
memory/2500-24-0x0000000074950000-0x0000000074EFB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 10:41
Reported
2024-11-09 10:43
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6E89.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6E89.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp6E89.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp6E89.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6E89.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe
"C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kf8q_5lu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FA2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0F5BB6E15034C02B9907C8C236BEF41.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp6E89.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6E89.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9be9479bd82a466299381b81d8ce2166e9165a77a920346d6c3f65e49b417f92N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/2936-0-0x0000000074F32000-0x0000000074F33000-memory.dmp
memory/2936-1-0x0000000074F30000-0x00000000754E1000-memory.dmp
memory/2936-2-0x0000000074F30000-0x00000000754E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kf8q_5lu.cmdline
| MD5 | 1ddbe5d1d3b56067bcaa4f0d06b0aab8 |
| SHA1 | c203a5c4083f40dd9af78585175907584a8450f3 |
| SHA256 | 9ccac78dda2367d4b397fc171f166632d1b40e30228b3c4d569013abfb7c5e9b |
| SHA512 | 015688fc3dda059d93b0696e96c9db4404593f4804f6931e96e4a14376c35721cd62fc51a97b950e726aa7eb507ef3d11fa477def9d7dfbf7eab3f03cef63f00 |
C:\Users\Admin\AppData\Local\Temp\kf8q_5lu.0.vb
| MD5 | c8bfe5923a147c68e9c9bb3feab38e83 |
| SHA1 | 63921ed51dc9bd978824e11a35a0fcc9ec39b88c |
| SHA256 | 78b7cb0e654060cba12655d3abe14e084b1191338eb8e5eb8261e5fe07b8f144 |
| SHA512 | eacd17163788dceeb91b8a09d54aba2b43ec0b7c6888f2b6bfed2dc5133cc145711606bfdd48e5e71e2c51b001ab65064365a6e72f72fc329c58acfe16b7581e |
memory/4968-9-0x0000000074F30000-0x00000000754E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | a26b0f78faa3881bb6307a944b096e91 |
| SHA1 | 42b01830723bf07d14f3086fa83c4f74f5649368 |
| SHA256 | b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5 |
| SHA512 | a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c |
C:\Users\Admin\AppData\Local\Temp\vbcC0F5BB6E15034C02B9907C8C236BEF41.TMP
| MD5 | beb012940b5be7f7124b7923454a920a |
| SHA1 | a481e80adfe594ac34e151427cbb1decd10988ee |
| SHA256 | 6bed8113afd4de5d11ff1708b0bf558a837a777bbe74438bc0555dd9c4130710 |
| SHA512 | 8d9dfd57bfd766f540353143b9c778838d5f8b9a99bc29e56b7d6b365c2c903cb4d91433059d45740d531692d6fd71b9e37ab0f6b9a5a6c180252c35cf704c42 |
C:\Users\Admin\AppData\Local\Temp\RES6FA2.tmp
| MD5 | 611b8a16ff704911fe3f8b9d8dc5155e |
| SHA1 | 8d2226eb95537ac29bd9154323298ab3182ec973 |
| SHA256 | b52c51b2081b577eaa6e030e3ece1305b89451ae363d07eb8636d4495ba5c3a5 |
| SHA512 | f9e6498e884421f9aabeaa0ddd6a2909f7c6a0cd8bfe33e88a0a130a78898b11758f4873218f2d7ab95289fc1cfb0120c0a35b8dd29c871f065fdfec9e8c769d |
memory/4968-18-0x0000000074F30000-0x00000000754E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6E89.tmp.exe
| MD5 | 494a0eab8e3ec388b3c0b937c2917501 |
| SHA1 | 58d6a3930f61ce877be2d4c1ddf63c9dd7dd05c0 |
| SHA256 | ff948d3812618a599342239f6202e6b2f24088050899b82d03ed0a2d24788355 |
| SHA512 | 85f3d186efea77db9b4e74675b2c7426b975046fdfd66e703c794c97b9c61bd49bd810ac9ca1f796d37568bf761a357af1aa271027ccc8295d62929e5e704904 |
memory/2936-22-0x0000000074F30000-0x00000000754E1000-memory.dmp
memory/5084-23-0x0000000074F30000-0x00000000754E1000-memory.dmp
memory/5084-24-0x0000000074F30000-0x00000000754E1000-memory.dmp
memory/5084-25-0x0000000074F30000-0x00000000754E1000-memory.dmp
memory/5084-26-0x0000000074F30000-0x00000000754E1000-memory.dmp