Malware Analysis Report

2024-09-11 10:22

Sample ID 240720-t6bb1ateqh
Target ea598db77a9a4bb6029715382d3ebdb0N.exe
SHA256 a2d7363e71cf851be15cf29c963532fdc740f2275a1a686fc1bd3a070730d663
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2d7363e71cf851be15cf29c963532fdc740f2275a1a686fc1bd3a070730d663

Threat Level: Known bad

The file ea598db77a9a4bb6029715382d3ebdb0N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-20 16:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-20 16:39

Reported

2024-07-20 16:41

Platform

win7-20240704-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1712 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1712 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1712 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3020 wrote to memory of 2116 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3020 wrote to memory of 2116 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3020 wrote to memory of 2116 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3020 wrote to memory of 2116 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1712 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe
PID 1712 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe
PID 1712 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe
PID 1712 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe

"C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w0aqkplg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9FA.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1712-0-0x0000000074631000-0x0000000074632000-memory.dmp

memory/1712-1-0x0000000074630000-0x0000000074BDB000-memory.dmp

memory/1712-2-0x0000000074630000-0x0000000074BDB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\w0aqkplg.cmdline

MD5 a0a767ac7ae25595ec86e2e98d132921
SHA1 6bbddf304487f4569dcbd6b6314aa10957293993
SHA256 e4db48f2eff5c5ecdc0b50dd39ef3b3be6a5ea04829a1cc2c8676cd68a8dd393
SHA512 31d940b54ed58088410d6e36937c524e7b469992876c53e313aeac3eed9dc13465e95e4a96fa1387e2eb3cb506c6ed4503ed6fd35725008cac79646b5d701db4

C:\Users\Admin\AppData\Local\Temp\w0aqkplg.0.vb

MD5 1076fba7acfd02b4f82d69c22a9125a5
SHA1 6d838afb154914e61cc468e92dcc15bc5c3607cd
SHA256 7e18511f58c2fd1e6bc0cab8a578394cb129c21a83ab42570e8353a685fed86b
SHA512 758b003fd5cd7c459962070c083f2bbfbd09504a59374e5ce3f92dc96e6cf4e4f046e0b359fdd6bc68ad8f39bf383247e7665ae3d3e775d3dd33910368f9d879

memory/3020-9-0x0000000074630000-0x0000000074BDB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcD9FA.tmp

MD5 8e767a03259e347fbd10b719df0f219f
SHA1 9f0041a2b07a9441754a77e6c6c4185be60a19a2
SHA256 acc93850f94fb1915dc566d83f5e1606ecd0351fc2d9d4ace6f8e86ade529253
SHA512 f9f2bb7e3c5619cb88ed26a841bbb8d6c06706cb5bbce770e6cfd85c19c1f44343cca93d1c9057d79b66cd16e47b59c3770b7c9a8ef6f8da29fd6ba10b8150da

C:\Users\Admin\AppData\Local\Temp\RESD9FB.tmp

MD5 3127ddac0350f4fe545090a3f7df5891
SHA1 56f8e7dc62677f0724026c119793fb8200b5ed04
SHA256 23c3c1cd72d74d6eac2bb88f246c64ef88fe4d1eb23f7bcc09fa8f3a721087f5
SHA512 f42ebab1d2dd1587a17239fea6c11e1e4a6c4c031539843e173be5870b2eaaee5ad29655a4981992250f99b96cdb835511259a11e5115b13287079756142b82a

C:\Users\Admin\AppData\Local\Temp\tmpD92F.tmp.exe

MD5 bf688f1a25878f3e8d80c24ead919551
SHA1 7f3c0988d0e7855c5cc5c59344d1206bdd5f8583
SHA256 d9e44e9a008f64404bbd426e70465f24165b9d28d6204a18bf81774a9f6a1b4e
SHA512 742fe8c9a226fd2cce116725032b35464330d10b983523284246f20c84a2dcdc5dc8d7f16c57570fed0e998478a0db79ae293f18633a1f576ef29e52c5fe5415

memory/3020-18-0x0000000074630000-0x0000000074BDB000-memory.dmp

memory/1712-24-0x0000000074630000-0x0000000074BDB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-20 16:39

Reported

2024-07-20 16:41

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9877.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp9877.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9877.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4836 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4836 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4612 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4612 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4612 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4836 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe C:\Users\Admin\AppData\Local\Temp\tmp9877.tmp.exe
PID 4836 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe C:\Users\Admin\AppData\Local\Temp\tmp9877.tmp.exe
PID 4836 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe C:\Users\Admin\AppData\Local\Temp\tmp9877.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe

"C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\toeuzt7h.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F5FCFB828C34AFB92E14F4823952DF.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp9877.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9877.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ea598db77a9a4bb6029715382d3ebdb0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp
US 8.8.8.8:53 udp

Files

memory/4836-0-0x0000000075002000-0x0000000075003000-memory.dmp

memory/4836-1-0x0000000075000000-0x00000000755B1000-memory.dmp

memory/4836-2-0x0000000075000000-0x00000000755B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toeuzt7h.cmdline

MD5 5e7b8c76cdbcd3585640ad4e1e58b567
SHA1 9c7e108e112bc8095dee2442ae6a4749bff02ec9
SHA256 36184fc8b01776733c068b2be3c4e7b7d72da8ad487524e0fa68bf35613e8fb7
SHA512 4a77cd2fd940f5438b3c279270e4f53fe63671a654690dc690abe1d72085cbf1260a98871c95060a190268ff8571f607812dae36f8c7cc4c48913b091ac8bc96

C:\Users\Admin\AppData\Local\Temp\toeuzt7h.0.vb

MD5 40035c9c2ac667cf63253123d1729539
SHA1 9830ab3ae3e2f53c9ad5bd2160ace629e8fbbd91
SHA256 171fa2815fa7e5b6896e7ab647a96170656b62472f6e605980a80b159fdd6882
SHA512 39b84d43788ccbdd5dfa994fe98e3a0eaceaa57c8cf7afb060e5be262c93d95d32d6344fcfc1392e76f59098f4790b1f3b4366dbb3caec2fe9f2218339fc733f

memory/4612-9-0x0000000075000000-0x00000000755B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc2F5FCFB828C34AFB92E14F4823952DF.TMP

MD5 1e840d6471da7f40e766555c926007d1
SHA1 1bc2e691c967a19142931bf153c161eeb9f84da0
SHA256 ea5a9c580fa67a1b5fc44d126ad6013f02ba5a8448436376c14984385afa7a84
SHA512 91c64477057ec849ccfdbcb589a16932ffddf32688d02df5185eb6508d5e3c16deb173558bb6d114eeea9fd7813d37de082901a80a403c6d7660a8fc66285d2b

C:\Users\Admin\AppData\Local\Temp\RES99CF.tmp

MD5 f349a0790d2947bc5a3d9bf531244c10
SHA1 2944a18a1a49337509b4367dabb72c98e07df84b
SHA256 e0c892d52f20a252726cee6b0e2faf4887536289552f5b967a8425827bc4eeab
SHA512 c961532bf324159be3eef86d9baf280fe6760402f9d633cc804e77ca8ec6924a7b1859eebf12bdb15ddcb547be96fd75e068780f4b4e6256ffa523ed791ae412

memory/4612-18-0x0000000075000000-0x00000000755B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9877.tmp.exe

MD5 e00601bcf9cb753c21e5c661e6114703
SHA1 5e5e8f86cd58c36092b8b4f00e08b05db57453b8
SHA256 ba209c11dbf7d1d6a54fab9b4fca2c655c69b9e9fe082b053669dae7b5c2bc9f
SHA512 aa879f68e0c89b7c72f87924054a4bbd73d5fd1093db808daf0768efae041e004d12446fa10efc4ddcc574ecad7032c88f193b085268284b5f8849a8b0216b77

memory/4836-22-0x0000000075000000-0x00000000755B1000-memory.dmp

memory/4256-23-0x0000000075000000-0x00000000755B1000-memory.dmp

memory/4256-25-0x0000000075000000-0x00000000755B1000-memory.dmp

memory/4256-24-0x0000000075000000-0x00000000755B1000-memory.dmp

memory/4256-26-0x0000000075000000-0x00000000755B1000-memory.dmp

memory/4256-27-0x0000000075000000-0x00000000755B1000-memory.dmp

memory/4256-28-0x0000000075000000-0x00000000755B1000-memory.dmp