Malware Analysis Report

2024-09-11 10:24

Sample ID 240722-zncp1axepb
Target 4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b
SHA256 4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b

Threat Level: Known bad

The file 4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-22 20:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 20:51

Reported

2024-07-22 20:54

Platform

win7-20240708-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1596 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1596 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1596 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2652 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2652 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2652 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2652 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1596 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.exe
PID 1596 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.exe
PID 1596 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.exe
PID 1596 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe

"C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hohzydpl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D60.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/1596-0-0x00000000740F1000-0x00000000740F2000-memory.dmp

memory/1596-1-0x00000000740F0000-0x000000007469B000-memory.dmp

memory/1596-2-0x00000000740F0000-0x000000007469B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hohzydpl.cmdline

MD5 141c47cb24f5ad779100dfa7c25cb9bd
SHA1 a71d3b6af122974cec32a615129e97840c423e1e
SHA256 54db9fd28c64423a4e499107a89b01dc9b298bbf8719871dd5d630493222f152
SHA512 5da8bcbc55c0649002ca608c8df6c60ff4ef81380a242e1cbfe0b85688c805432995fa76b994c0372cb08f5701a1008a81835941c18c8fccf1fb837f8ad8c4ad

memory/2652-8-0x00000000740F0000-0x000000007469B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hohzydpl.0.vb

MD5 2f648316e85a0887426144e84a9aa5c1
SHA1 b5f4c3de8ed1018c331ee1cac4bf9c0f9c491dbc
SHA256 03b3a6356ff9b453047ec32cb757a84a1aef09da24b73d8356a844aaf5365255
SHA512 51be4b7de4ae7d7827550806176a3e3a697af03993b15e0725deb12858ed2154f0761143964350600b9a603b2eca6077ef3411d9a18a0a6c43ef8b8e235ea9b8

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc1D60.tmp

MD5 65479c64b7f3cbc39f57fbfa55ed059b
SHA1 e58771d0bd3890102cb5a2d128bb51f88fcb995a
SHA256 dda3681797cde40cf3ddc6e7cbe0aca15814a638420c25b931fd3bf2dd4a0dd0
SHA512 f3c6a451479b3331421cd469799f861ee291e1006d76298e770c72cbac4ce432acb09c938b7a4973352817f6863722a1dde73f9a1afc1a5198d4801aa2df1e30

C:\Users\Admin\AppData\Local\Temp\RES1D61.tmp

MD5 f543ac60322d7f9e70279194629e338e
SHA1 0df10886b7d5499dd7d44bb82c9d84f7684170b3
SHA256 8a8edec63310ba3bfefe840a6460bc7b6bb1c95a68dab25824f716ae30d9769f
SHA512 d7896e779521258bb8f8b4707b08f12b2bc02a2e585ede593e547bd0388a99e20c7f5c440589fdf11b7373e93c18fbdd41545ea976cf02572429a2ce4d572f1c

memory/2652-18-0x00000000740F0000-0x000000007469B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp.exe

MD5 38c6ed3b8a4cd943f4bf2b7265b04f11
SHA1 00a3f9d41b409e3eeebc2011e32fd9878bce605b
SHA256 80951e48fa6a6d37b2c95871ee637a3391982744a86245acbda7e0091bcbcf7f
SHA512 0ced724c16a46ee592eba906754b22ebceda6a1ef990f43bdc665314b2949c7d959c059c2bb824c9aa7c9030c16482b084a61d2c2badf76e270b8fcba1d2a76e

memory/1596-24-0x00000000740F0000-0x000000007469B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 20:51

Reported

2024-07-22 20:54

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB7A7.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpB7A7.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpB7A7.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3292 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3292 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3508 wrote to memory of 3900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3508 wrote to memory of 3900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3508 wrote to memory of 3900 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3292 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe C:\Users\Admin\AppData\Local\Temp\tmpB7A7.tmp.exe
PID 3292 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe C:\Users\Admin\AppData\Local\Temp\tmpB7A7.tmp.exe
PID 3292 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe C:\Users\Admin\AppData\Local\Temp\tmpB7A7.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe

"C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\evti7dyo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8C1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1CF5D7F9D14E4253ADE79668C783A51.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpB7A7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB7A7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4423a5d188e8b912d85b2093a48493fe3dee0ab949144d155bfb7fda474d263b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

memory/3292-0-0x00000000749E2000-0x00000000749E3000-memory.dmp

memory/3292-1-0x00000000749E0000-0x0000000074F91000-memory.dmp

memory/3292-2-0x00000000749E0000-0x0000000074F91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\evti7dyo.cmdline

MD5 45fc4d2c95e1176f740ada9c371b716a
SHA1 9826a7ad7cd9cf63ff8951d3ddfd0206edf69143
SHA256 a783736f5cd27ab798a86e5bf2d430e7da2c9c3238e4f7e16bb4434846a7ce7d
SHA512 2d8b94d18ade7d44b29277c31e848b7d9153405683f087e2663a061bfdedcc290f0f23901af6b57106acf774b555eb075ba9d680ec3b21c8a4a356907ea193b4

C:\Users\Admin\AppData\Local\Temp\evti7dyo.0.vb

MD5 e4cf6d087d8cb6014c9be2667db21c71
SHA1 0bde221dd36a1074352bc67609bca7e39c5324d0
SHA256 164b7a9ece8c6fa2d5b13344d1199023c15763e555af023b4ff9e2aef8f46e30
SHA512 9e575dd158a8441ad4924a2b39d4b54df135984e2f6e595654a00b4de7ec8b9c1978e5a2d3685f492bed8c400c8e27a29f3491231ee3f64261bb6c4ec731ed41

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

memory/3508-13-0x00000000749E0000-0x0000000074F91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc1CF5D7F9D14E4253ADE79668C783A51.TMP

MD5 3038600e56b1ce2576e3677e547fa683
SHA1 bd23b1bb17620e0360c1136b2aa35b4d78050424
SHA256 0bcfbb45d1970423f969e1e39977515415d3879255db0e083db78e0332034eff
SHA512 17479428877506034950ac9d7d8909240cb158fd8f6339edb32fa280d1440cd28b45cd62d013989a769fe99b38d6f12ce44d0d3e2e016bb40d9db68a3a618c7f

C:\Users\Admin\AppData\Local\Temp\RESB8C1.tmp

MD5 8cfc7207a9750a06b7f1a9d65e9e7c70
SHA1 c973b7c4206d3232b561464739afa9a66dbcf1fc
SHA256 72182953ce378a60a30a33c56933263472a31d23259e6fa37d2f5241e85be307
SHA512 4251eb6e13d1eacbfe10736f967329b2a06100d06609515465d4772474765986952f5b13adad7d04cd001d6cb32f6a2c945eb41150aa671ca953ba22a55e6ee5

memory/3508-18-0x00000000749E0000-0x0000000074F91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB7A7.tmp.exe

MD5 b7ad68801967aff964881b269fd2b6a1
SHA1 c145da2aa3a11282a2d129b472b218a58b69747c
SHA256 a82573a1d3ccb3fafe39f006e538a5f7932f276632b827339004ee48a277fa4a
SHA512 0c3a862c26f82cf9cd0aeaca6407d04f3a7f85cfaec9277948563d235592a8785004f1781b8056140e2a118d7ce180a8bdde8e00a85932b1072110703c6440ac

memory/3292-22-0x00000000749E0000-0x0000000074F91000-memory.dmp

memory/2640-23-0x00000000749E0000-0x0000000074F91000-memory.dmp

memory/2640-24-0x00000000749E0000-0x0000000074F91000-memory.dmp

memory/2640-25-0x00000000749E0000-0x0000000074F91000-memory.dmp

memory/2640-26-0x00000000749E0000-0x0000000074F91000-memory.dmp

memory/2640-27-0x00000000749E0000-0x0000000074F91000-memory.dmp

memory/2640-28-0x00000000749E0000-0x0000000074F91000-memory.dmp