Malware Analysis Report

2024-09-11 10:24

Sample ID 240719-cj6qys1cjf
Target 3ccb4c53ebcc6db5b38ff12d401f84b0N.exe
SHA256 b4a8c8b2a1e0fc7f526d176b18b4f24b9b72a430d7b337f0943bd06afc12710e
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4a8c8b2a1e0fc7f526d176b18b4f24b9b72a430d7b337f0943bd06afc12710e

Threat Level: Known bad

The file 3ccb4c53ebcc6db5b38ff12d401f84b0N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-19 02:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 02:07

Reported

2024-07-19 02:09

Platform

win7-20240708-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7ADB.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp7ADB.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp7ADB.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2556 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2556 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2556 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2736 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2736 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2736 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2736 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2556 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe C:\Users\Admin\AppData\Local\Temp\tmp7ADB.tmp.exe
PID 2556 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe C:\Users\Admin\AppData\Local\Temp\tmp7ADB.tmp.exe
PID 2556 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe C:\Users\Admin\AppData\Local\Temp\tmp7ADB.tmp.exe
PID 2556 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe C:\Users\Admin\AppData\Local\Temp\tmp7ADB.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe

"C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\acyebonl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7BD5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7BD4.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp7ADB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7ADB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2556-0-0x0000000074611000-0x0000000074612000-memory.dmp

memory/2556-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/2556-2-0x0000000074610000-0x0000000074BBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\acyebonl.cmdline

MD5 93fd2eb235cbc1ff289871f7c8888404
SHA1 d8935c6f528d9b29a723c3b47f26978a3f430377
SHA256 cfb06a072c24991e75b0e3206743bf949e339692a1bce275f92e3b4fa1aa77a3
SHA512 f87cdf4819d8c3ac3ea147bc96d10a267db98b0c42a8542b9dba1e9b7baa8c6078b26ad3c76e31c7de2bd8aa4b4537a0060405ca0e1a1b46b737a3548756111d

memory/2736-8-0x0000000074610000-0x0000000074BBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\acyebonl.0.vb

MD5 d614db9353247741bd0c67074bb055ba
SHA1 92c7512432bbd6ff935eee6185fa78a9624a4c80
SHA256 645a73932ec163c8b456ab9ab809769b4b1c17c86fe1d313a7d116f2e9b76229
SHA512 ba066d0344dc27729aad287ede2f6ffa8fced3f9264187aa95dcb63c83d54c36a678825a34dd70ce177328d5f38066695e55bb6c87fe43b931901537ff6ec7ab

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc7BD4.tmp

MD5 57c6b22693e7aa569ee3237bbd1a4bb8
SHA1 5488cf1dc11478a7052f6b53a0a05b7afe1c742b
SHA256 263c16f8271b8cce2cc502637deb7511c0e86734e1e33fb88a1b4cd45896d719
SHA512 6cff989ac0df3a19093608e4f6b8276519a2469b54b176434353696dc61e18a783570ff9c958dc1678ba9e2838650cc8212520bb8ca7b538942af86d913a790e

C:\Users\Admin\AppData\Local\Temp\RES7BD5.tmp

MD5 9a1831b3897d71d110f3d12e3605c78d
SHA1 ce87e274efa0ac0005ecbfc3e85e3b30d273749e
SHA256 c0ccc4f5412d9475f66d8972f21e15fb17b95b5e03b9b658713a722246ebe446
SHA512 ed9f645f17fa9017fb766922957624538cd31b31450fd0450f1625b2094d8ea52e354c158e9317ad75d5248d6b997242234e6db4454546515b37b8833775b425

memory/2736-18-0x0000000074610000-0x0000000074BBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7ADB.tmp.exe

MD5 89f631c42c0a54d3bdb1af1ce9d45da3
SHA1 7db1170bfbea68e3fe81124470f48eeeae7489d6
SHA256 be23c33176d3a8d38d12e47f69b943a99ca7673ac7aa4d8ed3a9ece1764f6436
SHA512 4e1677c23e6502e5bf996e42adb13f2535256558c0c9226fa23c2e261f152f3adf61bb9c69c33018481e03c4401a9a62918ec0d0cfcadd4422a74750da891123

memory/2556-24-0x0000000074610000-0x0000000074BBB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 02:07

Reported

2024-07-19 02:09

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1500 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1500 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1500 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3236 wrote to memory of 2536 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3236 wrote to memory of 2536 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3236 wrote to memory of 2536 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1500 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe
PID 1500 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe
PID 1500 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe

"C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xd-cunhx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA78.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc445A78E14CAF49D6B7EB65EBBDC0AFBB.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1500-0-0x0000000075422000-0x0000000075423000-memory.dmp

memory/1500-1-0x0000000075420000-0x00000000759D1000-memory.dmp

memory/1500-2-0x0000000075420000-0x00000000759D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xd-cunhx.cmdline

MD5 e04c6334cf8af9a5b33eeb93e83de5c9
SHA1 a003ddca79c39ea3a85bea37a0b2a0e7e4e8f698
SHA256 439ab0b01c3d58d20053d8453920e2f540d076889e4abd56819abf38404ad180
SHA512 32ca69ead09b76c3d24db4a2dd4a69ccd65643214b78f974b2bd9fbd85c55f0aee71a7f7b08ba68680f61428d30501a4f0e30716836a5e884deed8d4a1a81be6

C:\Users\Admin\AppData\Local\Temp\xd-cunhx.0.vb

MD5 b27173e12b1f2b81c61a6f9c5f2de3fe
SHA1 e579b9bd9f57f312ee3bcda47329d0bf0c55f289
SHA256 d5ddeafb91971f440b76d24c407fc7cdc34df084a76335a2522484ba95e755a4
SHA512 e0a21c6608a3baf0a4dc02fc2d4e2af41efcd634912e696f14cc6340c8140551739e73083cf0625c32cba3ba8be4ba3a682062a3e657a4540b18245569b0154b

memory/3236-9-0x0000000075420000-0x00000000759D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\RESAA78.tmp

MD5 cd02a4e9754ab6fd9fc1b7acbc017475
SHA1 f4a1f4227d357a6f8372a1d27d1586c880460aa3
SHA256 c40a709ee697181a3f2141f978eebecd8ec5cc3e6bf52050a2e3c610a1e0bbd3
SHA512 9f54124fef81b3d90b21d719eb5724a2612f6a10356b1cade659809f626fee7bcd1b62a24a21a811906d9be46ba9d5bf9747768411a7ad355a9bb22e4931b873

C:\Users\Admin\AppData\Local\Temp\vbc445A78E14CAF49D6B7EB65EBBDC0AFBB.TMP

MD5 0d361ee7a5a6d722b546ce9ce3ea036f
SHA1 ed6afdd5ba1bb4859991caa69a058b16285660e2
SHA256 6c3efb0f0d058801ce1bfa76b71bbd4f15e964addf747a924da1c8792562b0fb
SHA512 db881c656840f9323f72f556c7589814f2fb3adcc4df43039feb3465a30a1a526ce12b68863c5883c04bcac3d5173849d3eef63068d36fb2b4d781948e7d26bc

memory/3236-18-0x0000000075420000-0x00000000759D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe

MD5 91532500589d91fb2efa0dd8c9b575e3
SHA1 2f9dcb2abd1be8277952e8081d9be1bcdc2c6c09
SHA256 cd7232b2077eb4a2e473fe41562988b3f0216fe249bdd8fea4711fd88f5854ae
SHA512 861d477820aa00aa01fb1777f29ced1c1d57a9814283b08bb645f8c777c6640b40c542806b91043040900097a3a09cfb21f4201b9a8ce6b2561fa48eef807bd8

memory/1500-22-0x0000000075420000-0x00000000759D1000-memory.dmp

memory/2172-24-0x0000000075420000-0x00000000759D1000-memory.dmp

memory/2172-23-0x0000000075420000-0x00000000759D1000-memory.dmp

memory/2172-25-0x0000000075420000-0x00000000759D1000-memory.dmp

memory/2172-26-0x0000000075420000-0x00000000759D1000-memory.dmp

memory/2172-27-0x0000000075420000-0x00000000759D1000-memory.dmp

memory/2172-28-0x0000000075420000-0x00000000759D1000-memory.dmp