Analysis Overview
SHA256
205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242c
Threat Level: Known bad
The file 205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
Uses the VBS compiler for execution
Loads dropped DLL
Executes dropped EXE
Deletes itself
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 12:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 12:24
Reported
2024-11-10 12:26
Platform
win7-20241023-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe
"C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zwlrmsbb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC9C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC8B.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | tcp |
Files
memory/2396-0-0x0000000074171000-0x0000000074172000-memory.dmp
memory/2396-1-0x0000000074170000-0x000000007471B000-memory.dmp
memory/2396-3-0x0000000074170000-0x000000007471B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zwlrmsbb.cmdline
| MD5 | 40c419996a277b4bbed1a64e7b2231a8 |
| SHA1 | 0c2b21157736ec9c7443d5e2c279b04161df37c3 |
| SHA256 | deb05f703cada602e65f4a677d1a0fa47134dbdb1615234c3daf0a2daa227610 |
| SHA512 | b20e1d179a299f072abc9f5ebee2687c7a5aea338f2bb048bfb77b2814b221d142ece76508a98380bf84ed6f920aa5d5cce6e97efe0a83abaf4c25ad3dcc4886 |
memory/2580-8-0x0000000074170000-0x000000007471B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zwlrmsbb.0.vb
| MD5 | 1b4307200360aeed8738bf3048f589f5 |
| SHA1 | b2ca97d7064d59f38e2a4e3ad148a9e42404e351 |
| SHA256 | f4630cf388def51c9aa8efa47c006daf310ac33fb32007881b839e9098c76eec |
| SHA512 | 5f8ce2d0b7fabf274b2f6002698198650aa8fe5edc95761e59cef2bd70a63b33aa7e48dc28e5548676b839f3beb32bd1913314963bd001976ef4427cbaca4053 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | a26b0f78faa3881bb6307a944b096e91 |
| SHA1 | 42b01830723bf07d14f3086fa83c4f74f5649368 |
| SHA256 | b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5 |
| SHA512 | a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c |
C:\Users\Admin\AppData\Local\Temp\vbcBC8B.tmp
| MD5 | dc6fed78bca8f74a9b182192659e3c16 |
| SHA1 | 44b25cca962c2e1f61dbbd5f358d1e308a7b7764 |
| SHA256 | fff93982294bec27e1dde6ac72cc67c55b0cafa492e1201e30d4197e008ffe33 |
| SHA512 | 1dd0a8c646a227ca86a732be9690b2edd20022981448ec87286731c6b0681b746656e44aa5557ae5becc1c90824e693323e7bc83d785033aacd60833c97c09cb |
C:\Users\Admin\AppData\Local\Temp\RESBC9C.tmp
| MD5 | a4f959f886a4ebad6fec233c02cb65bd |
| SHA1 | 7e09654ef631f85ffc01840cf3a348cb87519358 |
| SHA256 | c26d6ceab69ca50d5f5cbc5106162e2ee0f121a0aece9a444fbca9e32b9672ca |
| SHA512 | b3e859a95202b09d83a23f52920c8e40ec4cbbedf8af7b7e2615bebaecba36f84c1c1a3547710ba8484259178310059615887eea79853279c92e5f23fd004689 |
memory/2580-18-0x0000000074170000-0x000000007471B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe
| MD5 | c5194513e68592091082593335858a81 |
| SHA1 | 58542b8d41aeda842965a1b3ddf3a78e53a56d60 |
| SHA256 | fe1f1b1904d24c5cd0ec682adb4f520c41bc41a54aae7a7d8e8ceeda5f4469f9 |
| SHA512 | 8fa7665045f08d33289ddd7fabe26d5d959cb71f65a5460d43f14263b421b773fd7d51808f5c9cb486086b7fe0d365c2358817edbb36082cb472f5cbaccb9e0d |
memory/2396-24-0x0000000074170000-0x000000007471B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 12:24
Reported
2024-11-10 12:26
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe
"C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m5qnebmz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E55.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDC1AF78F5E35455E88AD7A4124FC6BCD.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe" C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/1648-0-0x0000000074E92000-0x0000000074E93000-memory.dmp
memory/1648-1-0x0000000074E90000-0x0000000075441000-memory.dmp
memory/1648-2-0x0000000074E90000-0x0000000075441000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\m5qnebmz.cmdline
| MD5 | 2e78c7850f9468a75c99ee752b527980 |
| SHA1 | 3394f05848892cabca58ab42886a6495f3c62eed |
| SHA256 | ff169386ee69289f880ce7f9f357d43f46efa2a0162859d4c93284f89e3102df |
| SHA512 | 9fef2aa449cb0caa80474dc9e7bcd13a6437cf60aff8f65e65c46272a9cf211cc21850c8252bd842f9d33c09c41ed9c206bdca9d7ce03251a274778323cb1fb0 |
C:\Users\Admin\AppData\Local\Temp\m5qnebmz.0.vb
| MD5 | 73807e3ec95635d5e644015cda7a816c |
| SHA1 | 7042ae3a9d42ab2ba8845cfaba2023da39c64980 |
| SHA256 | e2a033cec2d638760cec8222cfb62cfd1ad95fdeeae59074fdce90dce425bd86 |
| SHA512 | dc4805bf8be4c9f4834f54f2ea9642cfa4a1ddcee0761bbfdbe8155752d4945baee43e413fc6c1fdc1df42934cd9fb38bacfe8c9de5762ae3b3e2c6211131b75 |
memory/2520-9-0x0000000074E90000-0x0000000075441000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | a26b0f78faa3881bb6307a944b096e91 |
| SHA1 | 42b01830723bf07d14f3086fa83c4f74f5649368 |
| SHA256 | b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5 |
| SHA512 | a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c |
C:\Users\Admin\AppData\Local\Temp\vbcDC1AF78F5E35455E88AD7A4124FC6BCD.TMP
| MD5 | 6c12edec29debd4b59e6605230a4b284 |
| SHA1 | f3a5bc427349534b4a702e9d8ddd715a8880d503 |
| SHA256 | 0bb208a2bed30886af6ef7aa16bfb8d4a5c33c4f522869db96ae1b23466707ab |
| SHA512 | 0223ba2227def9537fcd25f119ec2087101b94edb317a490f01a2113a19d80c2dfb1e8f524eb4fe44f101efd2a80c0797e534ecd75f1630171ac369ddffb62e5 |
C:\Users\Admin\AppData\Local\Temp\RES8E55.tmp
| MD5 | b6af9d4f5e05b63af78d8dfad8e0d50d |
| SHA1 | c57e360c3bdc053f52ece80bc9116007a236476a |
| SHA256 | 01cfe9edaa9f356d5fe2efa95529bdccb9b642c36566f8145abc6e8fb389a205 |
| SHA512 | 7c0c0e0d2e7ef23dec812f6aec0d999e7b683e6d2f915bf48245b764979e0532383741df87b70af57a39126359acbd32fd3070c8e242979d4d9e578874b0bc5d |
memory/2520-18-0x0000000074E90000-0x0000000075441000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe
| MD5 | 14774de259a0fe46c8f11f250027bd71 |
| SHA1 | 7c382fe7ab89ec693de0ae70e83c7b84f85d3114 |
| SHA256 | b4c69a2f85ebb409756b23832c3897cb3548accddbf9bfcf974fbd67a43c699c |
| SHA512 | 3dc996b9005bbbb74b4541291e02d60886cc921eabb7e6ffab733789e0575803da6c9e55f3d9cc339d3c53672ea4cd1a23367ac35f04cd21194962ee5824f042 |
memory/1648-22-0x0000000074E90000-0x0000000075441000-memory.dmp
memory/4312-24-0x0000000074E90000-0x0000000075441000-memory.dmp
memory/4312-23-0x0000000074E90000-0x0000000075441000-memory.dmp
memory/4312-25-0x0000000074E90000-0x0000000075441000-memory.dmp
memory/4312-26-0x0000000074E90000-0x0000000075441000-memory.dmp
memory/4312-27-0x0000000074E90000-0x0000000075441000-memory.dmp