Malware Analysis Report

2024-09-11 10:23

Sample ID 240723-gdjfpazfka
Target 72be6a06caeeaf3d7eb5efa353dcadb0N.exe
SHA256 155116ff317590abcdc9d3995f8613af3ec569fd2f7ad4cba7e1fee63cbb4a72
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

155116ff317590abcdc9d3995f8613af3ec569fd2f7ad4cba7e1fee63cbb4a72

Threat Level: Known bad

The file 72be6a06caeeaf3d7eb5efa353dcadb0N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-23 05:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 05:41

Reported

2024-07-23 05:43

Platform

win7-20240708-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1780 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1780 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1780 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1780 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 884 wrote to memory of 2772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 884 wrote to memory of 2772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 884 wrote to memory of 2772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 884 wrote to memory of 2772 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1780 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe
PID 1780 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe
PID 1780 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe
PID 1780 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe

"C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ckyvyquj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3E9.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1780-0-0x0000000074DF1000-0x0000000074DF2000-memory.dmp

memory/1780-1-0x0000000074DF0000-0x000000007539B000-memory.dmp

memory/1780-2-0x0000000074DF0000-0x000000007539B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ckyvyquj.cmdline

MD5 40e02f02238b346af2df668e67e21503
SHA1 5935990ced027d69922c7f52147780aa4d53e3f9
SHA256 1a483c1368b8e3c08ec969397677f18c4865119dec30ab542b7f20e435741a2b
SHA512 091d7a8322b6c8e8fbc90e853979580a068311a29ee0600bd78528b11b139f0b383200813521014f2bfcf46cade6e297559b0c263e2d2dce27d44d6143fa51fa

memory/884-8-0x0000000074DF0000-0x000000007539B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ckyvyquj.0.vb

MD5 a505c2020eaa5c7461ab3b047ad0baa3
SHA1 74ec53468b668ef33535a5e998165c0211a2e097
SHA256 4080d3e653972a0e53f93a12ebd571a26dbb9313151cc1d9d7343787c9723dbb
SHA512 aabb55e31f4739280a3819c8ce173857a4c7e4ce3226f5b00b38c4687efac437ff415bbec2ce62880330621a24879371e226cc6ccd3092e5bf97714abcaaa6de

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcE3E9.tmp

MD5 62440c459515189136913234c5034548
SHA1 194681b0947d7c774c52ad1bbc4cdc70e48ef7da
SHA256 5c8e2d884e296ce90f203777bee47b6ac626ea57a140482001674c7e8084120d
SHA512 7cbf5df6873f2b00a02ca66fd2a64cebeb3947b90f567734c7ee63e9e03cab1f55b47e5e22f4c6c59a6eec0c5c775ddc9eb5fce2d4ceb240229f74fec84af7b0

C:\Users\Admin\AppData\Local\Temp\RESE3EA.tmp

MD5 0c67d2af4d167b800a4a9926c68f97a8
SHA1 b113d81fd4a71ac1d96d82fb98f36da5090e5d09
SHA256 396d6d78e38a171e829e6db2d7201531510b1f9c04c2427a6d463d14044b2293
SHA512 d9f7d3ba4f280670f7f9f85e526fd7084c6bf784a9b871dd6d18bee3d545186096f98cef66320b154c6a1a35b9e5ec6c8516af426dcbf502f465007da390a36c

memory/884-18-0x0000000074DF0000-0x000000007539B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE2C1.tmp.exe

MD5 cf7991d08438583ef6bf620c04a652d1
SHA1 0e148f33d334423b7d79ea657b01f248141cd959
SHA256 ab1d0a4d7c1e64450f89e8b24953d9b566a02ee5821d6212586ecd5b645070f4
SHA512 4135b4f2bac2ccb0bd82599532c9eeff9b48912108068e1d97cbec7d9e187f9bfba2ff514c881d9f5cf7e53cfbd1e0af43dc0d6505fd6d618c1e07b9f4493c92

memory/1780-24-0x0000000074DF0000-0x000000007539B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 05:41

Reported

2024-07-23 05:43

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1100 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1100 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3728 wrote to memory of 3852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3728 wrote to memory of 3852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3728 wrote to memory of 3852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1100 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe
PID 1100 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe
PID 1100 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe

"C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oubi_sqx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADB5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc55A198E5CF1C46C287CC922BD07031EE.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\72be6a06caeeaf3d7eb5efa353dcadb0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/1100-0-0x00000000750E2000-0x00000000750E3000-memory.dmp

memory/1100-1-0x00000000750E0000-0x0000000075691000-memory.dmp

memory/1100-2-0x00000000750E0000-0x0000000075691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oubi_sqx.cmdline

MD5 c6ff39c15f00b66e7d3196abf4a1035b
SHA1 8ec7bf6882f636c97a025c7c4ccffaaf8081e9c9
SHA256 4f5f0b6e86a25869eb2f1872610e61e1524c55420a1e028532e94d7653fc175f
SHA512 6c179cdc4e68f1fd0c7bd8443c28f61619c11aa4dad607869be4c93533a05e2a10e9df1491555ef1d93d54b0e7cb63be512f825480720136bacb38cf95be0b63

C:\Users\Admin\AppData\Local\Temp\oubi_sqx.0.vb

MD5 38133d42ec498eee3d113894ec294608
SHA1 723a7319e35282813ea2a667b76e12083b16fe9c
SHA256 6f2793e238d1f50f09d3987ea565cb78213675bc18a565db297470bfd559417b
SHA512 6ea68f3b9bc5bf1244b05c0581dcdbf11fc2191d18f67b3e9387e7b3fdb0b7cfb81dc881f19d6366749eca942deb01c2138f7924fd4ae699f587c96b758db510

memory/3728-9-0x00000000750E0000-0x0000000075691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc55A198E5CF1C46C287CC922BD07031EE.TMP

MD5 0bb851c23841754e6df65606b80a9f09
SHA1 b8c0089980f2755c2a47341f43d95f7c3259ec42
SHA256 f8177305a678504c405aa7318e02f93cab17dc6cf530a368a6f2090044622372
SHA512 e37087bf7414dc65eb00d5a3add8d1bee979dd4fc1061fbf9581c8607657ff944d3ed45a72b6e9ee1679c1a9c926ba22c5815f4eb387c4faf7dc218a0d3f3163

C:\Users\Admin\AppData\Local\Temp\RESADB5.tmp

MD5 fd2b84aff380ba07f514ee4fb0254d73
SHA1 5b9e2453c6249a9fb9ac7cf59cb003deff2e4bd2
SHA256 d63d0a7f596d3d5ef8e83be12aa479402f0a6745a5c7b1be28e1f5ccc4e7b277
SHA512 8a2425ddd97bbb2458c70c26cbd93e3a722f7499446b3533a15c049d4bca7d93bf2ef94d466f088f92f2cfbe99be9b971cd646b75b345ff980abfab594b80e26

memory/3728-18-0x00000000750E0000-0x0000000075691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAC4D.tmp.exe

MD5 23b8129d96a357fcc6ecfe893d45d43f
SHA1 0170b564cd903c6b92aadb8f8c4c9df531974a2d
SHA256 0f5c5de8fe410d8e279d9ce062d2e2cd05c64edad8d42022521908c682387677
SHA512 dfcbb456c3eb1254ccfab198fc7b4798901c425eb0222984a4f615f8ee48f639290122e64dbc6fcb041dff6b00a3021ca6d960c5f5f6b09ab3b97dfd3f3ef72b

memory/2200-23-0x00000000750E0000-0x0000000075691000-memory.dmp

memory/1100-22-0x00000000750E0000-0x0000000075691000-memory.dmp

memory/2200-24-0x00000000750E0000-0x0000000075691000-memory.dmp

memory/2200-25-0x00000000750E0000-0x0000000075691000-memory.dmp

memory/2200-26-0x00000000750E0000-0x0000000075691000-memory.dmp

memory/2200-27-0x00000000750E0000-0x0000000075691000-memory.dmp