Malware Analysis Report

2024-09-11 10:24

Sample ID 240723-z5h84sscke
Target 0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
SHA256 070def2d76946994196689b38aab650d16799ec9632ab44fb9926ce55bc6d2e3
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

070def2d76946994196689b38aab650d16799ec9632ab44fb9926ce55bc6d2e3

Threat Level: Known bad

The file 0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-23 21:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 21:17

Reported

2024-07-23 21:20

Platform

win7-20240704-en

Max time kernel

117s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 560 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 560 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 560 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2468 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2468 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2468 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2468 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 560 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp.exe
PID 560 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp.exe
PID 560 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp.exe
PID 560 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe

"C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fdysrknf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3370.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc336F.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/560-0-0x00000000748B1000-0x00000000748B2000-memory.dmp

memory/560-1-0x00000000748B0000-0x0000000074E5B000-memory.dmp

memory/560-2-0x00000000748B0000-0x0000000074E5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fdysrknf.cmdline

MD5 d16fdbf48d43701e016840965f1df31c
SHA1 ec2825ae5ccc08de854adcd8bf5cd553f9244fad
SHA256 6cac0cafbd66696b8cd0e1cafa0aff88559c74c67dd6a5c376dc50a13177074c
SHA512 ded7bd7b9a61a902738b98b8bd30631e2c81eeb8cbc39c823b12033d0a281abfeb2a6d2071fc6e5d74988ec91262add412e541b4adfee19f8d3a23c1c246047e

memory/2468-8-0x00000000748B0000-0x0000000074E5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fdysrknf.0.vb

MD5 6d52664d61a9a3c9fe10bb4d01d575ec
SHA1 27a8262e80e55c8b2317e658285369858eed6797
SHA256 a96f90258caf142e21b70ccfe36bc41099eb63bc314fc8885a5efe368c2b4309
SHA512 5a129fba5d612535ac085f24505536addcbcfcc1c659b702f8f3b20d50df4874fdd742ee38588d835528a55694c45fb6e6c77e068e0671c3f0f6f6481de035e0

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc336F.tmp

MD5 5f34b9a1843666538a7d5cca37ec73b3
SHA1 037de3fa621fcdffa80319a1d38a6457f8cefc82
SHA256 684dfbd896552e7d7160b955e0752c86d52ec9003837f75575f3418706c0c2b0
SHA512 89ecade41191fe4b8c59f69d5a7b5142028a048eb8216f58a4c21634465f296cdf921eea6720ddd0901a568cf5a304f24e0bc3f1ac239ae139e971c55a3e4f7c

C:\Users\Admin\AppData\Local\Temp\RES3370.tmp

MD5 ff132c4f4ca20c5fdcd6c26702f6a884
SHA1 02bb219e757a8e2c51485d7735e6e414e84e0cc0
SHA256 8388e0f7b089360cd285e11975f8f4fa6241e43037f9ccfebd0cb573e42a0f4b
SHA512 67b4ee6bd13c0dcaea6bc458b4f31142b995ddf26bb57353300f523415f49fc2f1a036a80b153cb7b01af3db0610ae422bf3f5512d8e6598aacb2980282997e2

memory/2468-18-0x00000000748B0000-0x0000000074E5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp.exe

MD5 af9af37199c936713f45e362d8a45e39
SHA1 6984a2dba9872dded20089dddec66c06e25daca2
SHA256 1a46d21a2d180523cde40c209ed12f20a2ae1fefb2fa8cfcdb2688c332b569f7
SHA512 b981107e3e325fe9841ac3fb6dbebd8639bfe64a3d5c534d0ba626e23f28b78bfcc8e42968ec4b176336b885c7be6680ddbbe21800894791b61342e5a6bf0462

memory/560-24-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 21:17

Reported

2024-07-23 21:20

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4084 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4084 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4084 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4152 wrote to memory of 5096 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4152 wrote to memory of 5096 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4152 wrote to memory of 5096 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4084 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe
PID 4084 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe
PID 4084 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe

"C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v-uzxpxg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E55.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C08650A27414BB9A52BAB82F1AA29A2.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/4084-0-0x0000000075472000-0x0000000075473000-memory.dmp

memory/4084-1-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4084-2-0x0000000075470000-0x0000000075A21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v-uzxpxg.cmdline

MD5 f11a90b561f2d5bfd5edbae67dac7eea
SHA1 54d7ac5764287ff2e8d1e8fc1adc726a3114c73d
SHA256 295d2355c65b0c01f98757c9cf857f6ccccd3e6248c9d31ea6a1c457c184fbb6
SHA512 c9afbdcae3e4cdc0cade392783a002b15665df824e0b114cba4c70bba5d74d7b0677dcac1e81a5a89c9f1311213f9315f8ede31deeb7a789440faca317c5e628

C:\Users\Admin\AppData\Local\Temp\v-uzxpxg.0.vb

MD5 0eaf5a9a477fbe13fcdc66fe93a578ad
SHA1 0fcb401107bcf4420506f6a075501fcaa5733670
SHA256 d4685460abb10132d4e2c06e4850cb8980933839eb3117caa920f6466367a8fb
SHA512 eb2f940f389e1c8a8953e798e8b1b4bc48a35bf12da9f080f61fa6f6d0a3588f34faffd4da86547cd055ab059a12830d6232555383fdd5e6e61ac5554917f76f

memory/4152-9-0x0000000075470000-0x0000000075A21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc4C08650A27414BB9A52BAB82F1AA29A2.TMP

MD5 a36738fc510ffe5443e9074b23dc34b0
SHA1 ea0f9b766aad1eb5a5db38eb59922b68cd6e7e85
SHA256 aa757f04dcd7e3caf2bf3c1dcd3c534d0d2d614e7d173376fc6bf800e1455746
SHA512 42498a1d1eac3385b77d7f39cdb9716b6e3bb5c70a567042478ac2b02c452e90d79132abe838343c8243d008c85de9b02e6878f158bc6cee37bd084e3c9c1c14

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\RES8E55.tmp

MD5 7b1c47e3a8facce10498b13015b1a323
SHA1 d03ff2434a56f9160535dd20573331b6570179c1
SHA256 9a6796542065af40bc304408defeb799c277b147353b4bb14683a3c1e154a800
SHA512 b8826692807fc80e68722eff7b6a55f46de3e4eba864bb9d959222b52029305c5512b32aada24cebf1a5017915bbd4946e5b5aee3f434635b2d63c706a83cda6

memory/4152-18-0x0000000075470000-0x0000000075A21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe

MD5 708b78eaffe0017469c6b1d24fb3b9fe
SHA1 03801b63066deb0483abab87ca4d62d5ef44d894
SHA256 4ebeca321982693f9460c17db17dd2a00becf7ab5f016d1f7ad0990bf9f42a68
SHA512 1eaf96a61c754889ec43736132fee8fd5925076b4ba6ad2b214bc439e183be0def59fd6256051b32e0cc8646ac3ef489dd1c970e14a96dc997c64024f1b05f91

memory/4776-23-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4084-22-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4776-24-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4776-25-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4776-26-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4776-27-0x0000000075470000-0x0000000075A21000-memory.dmp