Malware Analysis Report

2024-09-11 10:22

Sample ID 240722-3jmk7avglr
Target 8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63
SHA256 8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63
Tags
metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63

Threat Level: Known bad

The file 8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat rat stealer trojan

MetamorpherRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Scripting
T1064
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-22 23:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 23:32

Reported

2024-07-22 23:35

Platform

win7-20240708-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDCB8.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2628 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2628 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2628 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2628 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2328 wrote to memory of 2244 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2328 wrote to memory of 2244 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2328 wrote to memory of 2244 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2328 wrote to memory of 2244 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2628 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe C:\Users\Admin\AppData\Local\Temp\tmpDCB8.tmp.exe
PID 2628 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe C:\Users\Admin\AppData\Local\Temp\tmpDCB8.tmp.exe
PID 2628 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe C:\Users\Admin\AppData\Local\Temp\tmpDCB8.tmp.exe
PID 2628 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe C:\Users\Admin\AppData\Local\Temp\tmpDCB8.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe

"C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ltvuhf_1.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE7D.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpDCB8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDCB8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/2628-0-0x0000000074EF1000-0x0000000074EF2000-memory.dmp

memory/2628-1-0x0000000074EF0000-0x000000007549B000-memory.dmp

memory/2628-2-0x0000000074EF0000-0x000000007549B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ltvuhf_1.cmdline

MD5 96297f2a2127fa7a35833ef0d225cff3
SHA1 1e6dbb1b6216eec99e36ebbeec1b43cccf378396
SHA256 3e410d77cd72b893cbfcc0a8348b16885042c7291c535fddd034b0b40f07d4f6
SHA512 c776202058742ab25fab411f7152793125698e129111a9b54678eb068c2759250efc8e28ea610a7d2e0b9ffd6019cd41668d9ce3ee51f621ef992f954cceadf3

memory/2328-8-0x0000000074EF0000-0x000000007549B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ltvuhf_1.0.vb

MD5 5db7a43f03cbaa30668ca21714c65672
SHA1 cee96516cd346c2339a6dc5496da578067f5da5b
SHA256 bbca7cac17bc40657f954e12c2341ed5442c29c7b3b02107858e2d268b8eda48
SHA512 a5fc3ddc2ab5b05bd09f96ec018124a7406fa23817c201d7595b1427e2eb9bad3997993bb03828caca2d0d86a08969978726da8903a12a15182dddcf38057c37

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 484967ab9def8ff17dd55476ca137721
SHA1 a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA256 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA512 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

C:\Users\Admin\AppData\Local\Temp\vbcDE7D.tmp

MD5 bafc30662800bcaba3c96cc9aa1a7978
SHA1 e46bf411b57e0d435c2a82966df31cb5f7efd979
SHA256 56f8653bfc24af232907426f89bc57b3e33ae16572425039c489e9f64185505d
SHA512 c008c7ddab9bb5b02617ea2b998a9f50fa8e1a81b15163d9030c40159c245e2ce36190a11e7deb01968af329ea1b36532af288dde5153fd267d158a63f7b1db2

C:\Users\Admin\AppData\Local\Temp\RESDE7E.tmp

MD5 66a2997ae37e3bad0cc2b333334f2a4c
SHA1 3e140dcce1a315092924687b228c1023fd61ffdb
SHA256 d313cba36ad53f19b03be2cde7aab0b2f4eed3df49bd6e68faa56caa8a8dd048
SHA512 0412559eed34e7424e9bac97905bb620ec671dfb320c882a40aa4021b0f4e16b6669980ff901f7878fc173f785b0db41e2dc496211fd06244fd95f97a2e48208

memory/2328-18-0x0000000074EF0000-0x000000007549B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDCB8.tmp.exe

MD5 a3cbf1377b7974e869017fefb6ea94d3
SHA1 02ab5e4230f148f2f35390da70b62ceac974d307
SHA256 874cff4a7c24288588371b75c9894cc47d75d9d6cf8806e6ba3d6c883636d34e
SHA512 31188a9ffa1d5faa981117285bb352a9c9e154bb88ea1ba259434b761982550e5b7112208653999a9588ad6c3b8da6a67e820ddaf0e3fa3407c6ab77b9e5f21a

memory/2628-24-0x0000000074EF0000-0x000000007549B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 23:32

Reported

2024-07-22 23:35

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7ED5.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp7ED5.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3524 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3524 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3524 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4716 wrote to memory of 3532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4716 wrote to memory of 3532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4716 wrote to memory of 3532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3524 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe C:\Users\Admin\AppData\Local\Temp\tmp7ED5.tmp.exe
PID 3524 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe C:\Users\Admin\AppData\Local\Temp\tmp7ED5.tmp.exe
PID 3524 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe C:\Users\Admin\AppData\Local\Temp\tmp7ED5.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe

"C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p4m31srp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FBF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc927417E7424CB6967BC1AB90F770F2.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp7ED5.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7ED5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8075d4a731fed91b5a725291d91bacb3a0cf13034f8190c157b45b571f7e4e63.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/3524-0-0x0000000074732000-0x0000000074733000-memory.dmp

memory/3524-1-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/3524-2-0x0000000074730000-0x0000000074CE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\p4m31srp.cmdline

MD5 09ec2a846b5815cb122ec9e57e0bf11f
SHA1 553f42f5b72abbe4e0bb1f7e5af429b8ee3f4661
SHA256 437eff1b2b47166d4f1de7fcc5bd4e3fa6ba175fa38b775cf6c150d9b327e141
SHA512 8eee1c5eb6d646cebad586ce670b168b1574c431b5a793adc46cd6fcd54dbab9135ac3aa038b54437cb9f74a093c1783aa5ddbe88c2a0c8bc93cdbb035ab7852

C:\Users\Admin\AppData\Local\Temp\p4m31srp.0.vb

MD5 0b6d9d7db126fa5d4cae186347e493b1
SHA1 5cebafe94274d0aadf1ef3c33a86c66dcda5f8b6
SHA256 03ff58a809ddf29074cbb7e1f5ca6b06350a2a842bb748caf6a6b0607f7fc503
SHA512 941a768d96f0ad1d76d4175029a304ea149eb61fdee0f23993fd9c130553528fd960b2c95f0d53fb0a7e8796873240ddbcd26e9e078ebe57122b9584b4b18062

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 484967ab9def8ff17dd55476ca137721
SHA1 a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA256 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA512 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

memory/4716-9-0x0000000074730000-0x0000000074CE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc927417E7424CB6967BC1AB90F770F2.TMP

MD5 d180d1702b4a36e7cca42112c7c880dd
SHA1 51eb5f828bc7aaf1c4213347177add7e700c4d9e
SHA256 f677f2c70e96e0a1068a1eea815a70d47cf2c15e0a7c41200c0568cb1ff11f25
SHA512 608fed29566162a58a9572ea1c9a123708838a9fd299db52afb17b54fac3432e9331f0ae59a5249f052b10c0f26379553f9c055e94ef314f95febf7e5117cac1

C:\Users\Admin\AppData\Local\Temp\RES7FBF.tmp

MD5 baa6f20fd3d90b15e084da962d013f33
SHA1 b388dc1de95f73b91e6327c75d906a55a89492d4
SHA256 ee8edd2f1e2eb9aa586029b962ac9077ec89246af6d060656a1299c4b5b8a8e2
SHA512 d349d4a49e2d9dfab9c6bfe59efe4598e72f8e21c23d812bfe522ca74df46ee7b825cdf96679fa55142c00df5da0e9aced2d8694e21eecdaf4a06d19b1020362

memory/4716-18-0x0000000074730000-0x0000000074CE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7ED5.tmp.exe

MD5 67b17f326cfea571157ad1ae0d2f0431
SHA1 2fa3bdfd6b323e04e4071d4879947ddf96a5d6d0
SHA256 1fa299cda9719fb24f2782421e3043655ee71dfa87f6222debbf227d270763ec
SHA512 e26af8435afe6f8a7469ed200695ff66e51df702e521d65b3c45d6acb97f360452280e56322cc00f3fb7fae4f85acca8b045042e55b1de3f27edde095ce751a1

memory/3584-22-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/3524-23-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/3584-24-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/3584-25-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/3584-26-0x0000000074730000-0x0000000074CE1000-memory.dmp