Malware Analysis Report

2024-09-11 10:24

Sample ID 240725-amv3hswdmr
Target 3bbf562527e29091bb75e829c2992850N.exe
SHA256 eee6b012e88a2c757fcdadfdc681e5c6ab2f748f84b8b1e8037340b1b8a2104d
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eee6b012e88a2c757fcdadfdc681e5c6ab2f748f84b8b1e8037340b1b8a2104d

Threat Level: Known bad

The file 3bbf562527e29091bb75e829c2992850N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Uses the VBS compiler for execution

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-25 00:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 00:20

Reported

2024-07-25 00:22

Platform

win7-20240705-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1656 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1656 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1656 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1892 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1892 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1892 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1892 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1656 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.exe
PID 1656 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.exe
PID 1656 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.exe
PID 1656 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe

"C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j1ucalmt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9954.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9953.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1656-0-0x0000000074F31000-0x0000000074F32000-memory.dmp

memory/1656-1-0x0000000074F30000-0x00000000754DB000-memory.dmp

memory/1656-2-0x0000000074F30000-0x00000000754DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\j1ucalmt.cmdline

MD5 06a238db4f9879189576c972f94b032b
SHA1 0ab9e6ae0da07f764252f9b70c8f1d6e7943b61d
SHA256 4bbc04b0b21b15a76ee04a0e679e05086ec35ecc23de01b5a5907d2727ed85f4
SHA512 d74275fe71d82abe47885212874aeaa0d9197e4edbbce9bb5a7fa5047f91716901f16fcab91bedeb41b0c2d2102b5af263a9b7b0ee9a65725fea187b2042b9bf

memory/1892-8-0x0000000074F30000-0x00000000754DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\j1ucalmt.0.vb

MD5 2bb83e8f525826591f481a304dd000c6
SHA1 07a9363a8f3f8ce8ed940d81a01fc28aac36a08c
SHA256 db163abe3a492f98c4fb2c0b9a44f51ed6a348c0519fc782affbf17a8ee2ae02
SHA512 ee3580de2fe66ec01895a25dae534cc449f6c342bae9a76046d2a25ad2ada4a9266ac1279bc4ce7029f138408f98334ca26617e4580f0cd00b46774f2c8e6b68

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc9953.tmp

MD5 815ca81aba4be7934482d406d6b0054d
SHA1 d16210b7d726f815e29ed89705af58cebb5976f7
SHA256 d094f123a5558343f26bfb0e9df5b16dd10b399ebd1ea8bd42a19c6987a6b9c0
SHA512 8e21012d70305a2cdee907bc8b332ba07ed00baf050045e18e9dd1ce1e192e637b6a6c2e00b3acda720768c62e5cd11db18b3815938643ba0c097aae2ccc8fd4

C:\Users\Admin\AppData\Local\Temp\RES9954.tmp

MD5 b9eb8478a36ba9218f6069cbc259f274
SHA1 55d1d860ee0b020aa7291fa6d400e6c586bf8f57
SHA256 36997beb6caa00e1e79b7e670811641b456a0e69aa79f10b345a52a1cd8dfc57
SHA512 f21d6b02f03315d486b7f8b4c25f82986ba25004c979372044b62925d956e7e54cdfa92077cb6ced6cb7f769b668646868fced71be1cd17f6d9b22888cc14a33

memory/1892-18-0x0000000074F30000-0x00000000754DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.exe

MD5 252bfddb66909ca3a8d4ab6a00c5ce85
SHA1 632b2e48bd0573142c646f8dbd7ca3fc04b79c5a
SHA256 228356c505f8ea2e7ed1c078e4f0ed2e63a2cc1cded89aa32afc0716f8352c59
SHA512 7aa2f1ca5d430ce4385e7bd206df14db25c4f3c07002ee8b90344025edfa696aed76a723eb2f0fb27ff1f496dadc29e442108629faffbb82165e8344beb01c27

memory/1656-24-0x0000000074F30000-0x00000000754DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 00:20

Reported

2024-07-25 00:22

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9982.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp9982.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9982.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9982.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1168 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1168 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1168 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3204 wrote to memory of 4920 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3204 wrote to memory of 4920 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3204 wrote to memory of 4920 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1168 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Users\Admin\AppData\Local\Temp\tmp9982.tmp.exe
PID 1168 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Users\Admin\AppData\Local\Temp\tmp9982.tmp.exe
PID 1168 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Users\Admin\AppData\Local\Temp\tmp9982.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe

"C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\md6iqq6d.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B08.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9A17646829E4F88AA99C1E68C7142CB.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp9982.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9982.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 52.111.227.14:443 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1168-0-0x00000000750D2000-0x00000000750D3000-memory.dmp

memory/1168-1-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/1168-2-0x00000000750D0000-0x0000000075681000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\md6iqq6d.cmdline

MD5 9c042f8abdb62d719fdad8a79e517d61
SHA1 27b3b7edc39d2dd740f36c5e057ffeec30d0b412
SHA256 d4c2cc330394300258fdaa71fc03cf0793fdff0e72ff221b772e7ee1ab14538b
SHA512 6128181c297c32ab6ffd7058a913878dbab0de42f54b5a33e855e391a24c79998f53d5a6b00c3d73d138bb785e010efd093427f94c6dbeacdad84a1b22d4baec

memory/3204-9-0x00000000750D0000-0x0000000075681000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\md6iqq6d.0.vb

MD5 898858c0f81d4d8cbc2cd7eaeed24d30
SHA1 2bfd5c74d3845f269cf76846507f69a469e26040
SHA256 39f5b0f5f729cbbd63040ce59f724f2ac716f72a227e29044c71a11b0d586ca1
SHA512 cb54bcb39e8b6aa550e73da43b05b32f20ac0293d9f10df255e7759c851d2b83ddbf0c61f503b8c275b60cb1cc8955f94a7a78d4cc221817b75ba260ad45d613

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcB9A17646829E4F88AA99C1E68C7142CB.TMP

MD5 bad742d876619e7dcaf23d16f60265d5
SHA1 40c35d73d94c158b87bd97b330714479bda7c2f1
SHA256 bcfa48ac68438c33e6a3b717cbf134cdaad8dd81d2a85fac6eb559d09d73eb59
SHA512 f147572a333d851eb2987fca8c4ce478985179ff0223e9e8d18e05c710e86c60c5b46ad122c330552fa894c79b60c21fd38440c70489c0722d3e7e55203e4435

C:\Users\Admin\AppData\Local\Temp\RES9B08.tmp

MD5 dade52e7ca5c285b909c9b13e36c6775
SHA1 08eca86b009965a33e3e2f70f639a60cbcd259c7
SHA256 3630e79c9fc61722d00899fe1bae6292f897b154864a6a785bff9ae52c6c979c
SHA512 03e643e64893572943e1730c00a29f6d041158ea4c29bb12f13ea51ebcbcb8dd9d45609cbdb901492971550503a8d617d4dc9e186404d50bcef5d8b894c9b8f4

C:\Users\Admin\AppData\Local\Temp\tmp9982.tmp.exe

MD5 a8c0264a6496bbc3e2055c694df10ef9
SHA1 d890f306656b1e84dc67bee04c3f8255a7c83fae
SHA256 7f57d3c60eebd817045455d90569aa535e7bacac768d815eef74b5cf3da20d50
SHA512 a129a9c75f64a4053d2b047bd4609afa0ccc386db13fb56fd8741e2b079d81dae54c22ba72e522de9fb577507dabece595904174d29acd1a46fa96e7fba93c57

memory/3204-18-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/1168-22-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/1536-23-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/1536-24-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/1536-25-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/1536-26-0x00000000750D0000-0x0000000075681000-memory.dmp

memory/1536-27-0x00000000750D0000-0x0000000075681000-memory.dmp