Malware Analysis Report

2024-09-11 10:22

Sample ID 240719-zwpdrszcpp
Target 099cef853def114c5177030cdfe69c60N.exe
SHA256 07a77b0fc3132d39ee41ab4dbd1bbbdf15ffe8ebfe576cf914a1ec2132dcdcbe
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07a77b0fc3132d39ee41ab4dbd1bbbdf15ffe8ebfe576cf914a1ec2132dcdcbe

Threat Level: Known bad

The file 099cef853def114c5177030cdfe69c60N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Deletes itself

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-19 21:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 21:04

Reported

2024-07-19 21:06

Platform

win7-20240705-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF98B.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpF98B.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpF98B.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1712 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1712 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1712 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1820 wrote to memory of 2664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1820 wrote to memory of 2664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1820 wrote to memory of 2664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1820 wrote to memory of 2664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1712 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe C:\Users\Admin\AppData\Local\Temp\tmpF98B.tmp.exe
PID 1712 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe C:\Users\Admin\AppData\Local\Temp\tmpF98B.tmp.exe
PID 1712 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe C:\Users\Admin\AppData\Local\Temp\tmpF98B.tmp.exe
PID 1712 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe C:\Users\Admin\AppData\Local\Temp\tmpF98B.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe

"C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jhobbybq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAE2.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpF98B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF98B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/1712-0-0x0000000074951000-0x0000000074952000-memory.dmp

memory/1712-1-0x0000000074950000-0x0000000074EFB000-memory.dmp

memory/1712-2-0x0000000074950000-0x0000000074EFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jhobbybq.cmdline

MD5 128c753c1cd3205a83f7788c877ac3fc
SHA1 ec01983880ed803ad90bc5f718040cadf10db63b
SHA256 becb592f803eb19450a7689799fe74f8d274541a106682b6aec4a2f9d07e1f3b
SHA512 c5d092125bf7f15247dd04d2e916c2ecf4c1cab2ee132e56dce1fdbfaac4c3ab50098c70576e775d453ded7a4f02709f991a162f8f7f084e6fd520216e5b360a

memory/1820-8-0x0000000074950000-0x0000000074EFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jhobbybq.0.vb

MD5 33362e1c392c21cf22b1e0b79c783692
SHA1 0074dcdc090764019899b77a18c33652482c0b5a
SHA256 d5e8fefb6d9bc823cceda8c8d8b3e5955b2a89972058fd8a364a981cbbd15c1d
SHA512 46f2b3e60f0956dbd6ca001785f5cc2fa6db457a7080c24d160b90d290c0f6d41f2b9b45f0fe7ce8409d06048970d82b7cff82c43bc3534906473cab984a7e18

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcFAE2.tmp

MD5 01764201cfefef6dbd61d7d1ecc4ef7f
SHA1 b70d3652d2ad2eae7b05b06b9229a059d5d4280a
SHA256 4f71cdff8642601c489bb172775faf5aeb1217825df6182ee1228c91448d332b
SHA512 fcefc82dbc1ad6f2c8be09a79cbeda124417d1692e93c765a21bb87b5a6e9242a71b657a790fe4f7932f5ff8958344a62b07150c6a61ea4411f6f1a49cc0164a

C:\Users\Admin\AppData\Local\Temp\RESFAE3.tmp

MD5 b05b3eb950d57d293826d3bf46244be6
SHA1 88451f62a2665f58d3c00681adf5b31a127098b8
SHA256 01f52b62b3187bfc76946c0ad7beb10d36f1c48e0f9c70e75b50e0cb72b3c904
SHA512 1f251ea094980e1b72f4d89b8af65bebcf1c07580f1a70d67f46ab3e46e4a6ca5516222147004368be80327474c559761f5030f70d38695f14d23a648d45894a

memory/1820-18-0x0000000074950000-0x0000000074EFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF98B.tmp.exe

MD5 4eae4a3c3d6d64af1b16970737aaa8cb
SHA1 11010d32ce2afe2a5eeb77305943b75cc536b1bd
SHA256 3600217e3181924d42ab8f51e8686fc95d00f8a9ec45bc3dd6e59fcfc8714384
SHA512 b602248a64bed3fa6dc880676bca7a846b4a3d7b8b272954bba94d99c847685a370ada78d7f21312eb1003a3a7c948a9b96e128dc482487d256c0d53b7035ef8

memory/1712-24-0x0000000074950000-0x0000000074EFB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 21:04

Reported

2024-07-19 21:06

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8DB9.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8DB9.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp8DB9.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8DB9.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4372 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4372 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4372 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4104 wrote to memory of 2072 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4104 wrote to memory of 2072 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4104 wrote to memory of 2072 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4372 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe C:\Users\Admin\AppData\Local\Temp\tmp8DB9.tmp.exe
PID 4372 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe C:\Users\Admin\AppData\Local\Temp\tmp8DB9.tmp.exe
PID 4372 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe C:\Users\Admin\AppData\Local\Temp\tmp8DB9.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe

"C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lxm_m6ow.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61E4E44C28854032A0AA4BCD88095C0.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp8DB9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8DB9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\099cef853def114c5177030cdfe69c60N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp

Files

memory/4372-0-0x0000000075472000-0x0000000075473000-memory.dmp

memory/4372-1-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4372-2-0x0000000075470000-0x0000000075A21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lxm_m6ow.cmdline

MD5 7ed3aea56abcdc1775099062227bc8b6
SHA1 25e64b9b177e65a4b0adef2fd340cb75cb3476aa
SHA256 d98cf3ff7c4d2df34091bcc23977b4482bb31e5c984728058a51443fefbf1083
SHA512 5ea8ca43be673fb6265f0ec4885a17e52169f9502e600461a633b019dcdf8700c26087284b113b74dede3fdd6c035f4305441a50a39c09b8274403cf29280761

C:\Users\Admin\AppData\Local\Temp\lxm_m6ow.0.vb

MD5 8d088629242a101fe108f32c82221373
SHA1 efe7603d27dbcc93a70bb8d6499ef509f47776d8
SHA256 806c8336ea89b9c01baa3a7d9cefda32a29c26bb223321b5c18f887b56d890cc
SHA512 12dab1416263a72171ad04331cd274c4c18c8f115f9c1a9d82dafb5c4b673ad38e7f87577cc65d78487c0658d42d6749ac3558a8281532a37011295e09bb3fe8

memory/4104-9-0x0000000075470000-0x0000000075A21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc61E4E44C28854032A0AA4BCD88095C0.TMP

MD5 1523d569d20858f189549fdd9241876b
SHA1 e4183ee31370011b686e75e939569eafe402bbc6
SHA256 62b1a8592d30a43f2ad4250a9ccc44b032bf695202de794a4790e9e0c3f243d5
SHA512 26f8c6e9f6b87e7bf9b066cb01c3ce008cfc49d8afa8d620969615f11e8668b1df474dfb53f071470302d95784136f651553ef2c69358e44d6b6b7d5668e23ac

C:\Users\Admin\AppData\Local\Temp\RES8F7E.tmp

MD5 4a61dd111e7a06b581a1dbb7bd3858ce
SHA1 811cc1cda92fd34f6fb747931125b9d02a1a6850
SHA256 5baedae6982dfd38b2bc2716564936082a969f9f3ed53d84d8647044f4e1093e
SHA512 92a585e693cba327d2f4e3cc0c0f5863a7f334f017c175c138193410e5683e27565b8f341041b6afbdff8f47bca54c6229406ab35a6e91cb9fe82d6e032bc771

memory/4104-18-0x0000000075470000-0x0000000075A21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8DB9.tmp.exe

MD5 4ac5a491df161bc762b5170e8dd6ce13
SHA1 081cb529f697d5cc29b412ac8fe2e6d95e4c233b
SHA256 c5a218ffac96fd2e61b250d66dc45b72af2b41976afc18486cb8dc618c54627c
SHA512 946a19401d644e31b0cd47971de257daf26fb2384ddcf9f5e57cf7b5125f514a9d841628ea63893319d4b16c740a06b59aadae9db91507d82e83cd7ee263704f

memory/4372-22-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/3616-24-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/3616-23-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/3616-25-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/3616-26-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/3616-27-0x0000000075470000-0x0000000075A21000-memory.dmp