Malware Analysis Report

2024-09-11 10:24

Sample ID 240726-atc6aaxfrd
Target 3bbf562527e29091bb75e829c2992850N.exe
SHA256 eee6b012e88a2c757fcdadfdc681e5c6ab2f748f84b8b1e8037340b1b8a2104d
Tags
discovery persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eee6b012e88a2c757fcdadfdc681e5c6ab2f748f84b8b1e8037340b1b8a2104d

Threat Level: Known bad

The file 3bbf562527e29091bb75e829c2992850N.exe was found to be: Known bad.

Malicious Activity Summary

discovery persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

Deletes itself

Loads dropped DLL

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-26 00:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 00:29

Reported

2024-07-26 00:31

Platform

win7-20240704-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2388 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2388 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2388 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2568 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2568 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2568 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2568 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2388 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.exe
PID 2388 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.exe
PID 2388 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.exe
PID 2388 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe

"C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d-iqhwla.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB52D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB52C.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2388-0-0x0000000074DE1000-0x0000000074DE2000-memory.dmp

memory/2388-1-0x0000000074DE0000-0x000000007538B000-memory.dmp

memory/2388-2-0x0000000074DE0000-0x000000007538B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d-iqhwla.cmdline

MD5 4fac59e56f24f89c8b8c52573aaceee1
SHA1 fc32396aaec9f9a5c2e07158879d69af616f3bad
SHA256 7ef4dfc2a6baaef95e3cf2bb6676034a60658ab6631eb7fc00fdd3310d7e5cd8
SHA512 6663911e1f4121ccabd050a57e6fdb4e87c43dc9a14c22de7810a6bf99fd675867ecf00b3c6856eb7d28bf2b93c92104f4e0361b4fc935f129754c44ec506c79

memory/2568-8-0x0000000074DE0000-0x000000007538B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d-iqhwla.0.vb

MD5 2ca221524c5d362254c16d34f1392de5
SHA1 d793be5a434b1f4723a8ac1c7747eb28e0834f1e
SHA256 b24910e5a74428983981799dccb61a840c503640de32a23032dd5d7880ac7e74
SHA512 0f94c7802df340c472c7266a4ee030780bc823a30a6c341ab17d8293178cad49d931722c4e0f9c88a4ddfe9896d460c68e986ab61bedbae64b80d67ba092c3e8

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcB52C.tmp

MD5 9ae0ab9934ca922a0f032d111ced768a
SHA1 7e5e713164c58ca8d1d350a0f2bb21288afd8b6e
SHA256 94ff0ad631bef69e08b5ff2d9bf6f4a3499b51c26492fc0be763bd429405ca53
SHA512 6bbfdee42986cc4bb67c5ba50267aad2b42d5d064d7b9604dda3d628a0fc9dc5fef49b84e47e180725bc988159ce800280980b019f15934ef37608ceb4465883

C:\Users\Admin\AppData\Local\Temp\RESB52D.tmp

MD5 65a6abecd1b8346eac43717cd301ea5c
SHA1 cbe64cdf96faf724716d99ed65b3470e287be67e
SHA256 195f72361e465656c7ac31cd3004cdb269b7784f1b79941ac72eb03f4fb232fd
SHA512 a8090a9970681784ba8bbc8d2fedf2a1db2e715115978308d1556f427c1e47df5a03022f27611532f2b34df677e874b64741e300d93e7419b1c2868b3db43e1a

memory/2568-18-0x0000000074DE0000-0x000000007538B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.exe

MD5 cfae413edae2b13da6de59d61bf913cd
SHA1 438dfbaf2ed6558a9310f7ed8e0e430f010c43c9
SHA256 02ad03d11a31b83a00710e05e8768a5bfc4046e563421f0780bf5b6243fa703f
SHA512 12a439061a89dbbc20de19cefdbccbd9420248d09a07f633ef43758f9c724b2fc38503054608e8385902c3a183657984526ffa5aa70dc389185de9cdf27b5bb9

memory/2388-24-0x0000000074DE0000-0x000000007538B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 00:29

Reported

2024-07-26 00:31

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3632 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3632 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3632 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4756 wrote to memory of 3596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4756 wrote to memory of 3596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4756 wrote to memory of 3596 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3632 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe
PID 3632 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe
PID 3632 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe

"C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3u1asdgi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF1C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA75238102A745638DA8ED9211F0BCA4.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 bejnz.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp

Files

memory/3632-0-0x0000000074942000-0x0000000074943000-memory.dmp

memory/3632-1-0x0000000074940000-0x0000000074EF1000-memory.dmp

memory/3632-2-0x0000000074940000-0x0000000074EF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3u1asdgi.cmdline

MD5 c043e47a7b63d87293f3280b79820768
SHA1 bbb78b85e4047c6704b85693bfd3817041aac605
SHA256 37c2f78b6ebd6838b6eb71c32f89454a14c3270a965296c5e6b71655dd7c3f4b
SHA512 ea364990d74784b22db1dba4fb697dbda2ddff2cb97cb4fe27bf8d4934016caac837a6c10320bb81994c08120cb3f982a46c8ed03c354c017ee340d97503e176

C:\Users\Admin\AppData\Local\Temp\3u1asdgi.0.vb

MD5 e70c97278d3529288bfc58dd11b84228
SHA1 6e1f992c13ae581f2651a05aceeacde6e491493f
SHA256 3b4298c437dfd66e977a6a08bc9ba5075e1cc44e0b204da88cd04e1110668a60
SHA512 f6deeb8c2a33b40449a350e8d63182161d25835f402517f2f002c43a45b504c9258d0b6b57d1ab7f8a6bd9b850aa369715e90d7e6d3862e5e9b9d38447152758

memory/4756-9-0x0000000074940000-0x0000000074EF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcA75238102A745638DA8ED9211F0BCA4.TMP

MD5 b2f595763357c2a35f6b54e86a71a435
SHA1 1a6b4a6b1ba061cfdc6b3e15b6f0012b13c930d4
SHA256 443fc11021a172a4d5a94d9b8a1f094e5082502f2fd4e1da120a10fa05b25aac
SHA512 b5f5614ea5fab402636b0975bdc887f497f4a664d51ee3d804abd50682df6baec4f6010bae65ed283a875333aeb03d03ed4f00a0c97910f9948838a407198d1f

C:\Users\Admin\AppData\Local\Temp\RESAF1C.tmp

MD5 0ec104bd7646a142629759eb56369e27
SHA1 35897aa8b823a81ccd42b1636f0b0fd7a4d6a909
SHA256 bac5470f81a8afa44647c9f2109fc6e8388bd4f823fa13a06693886c962116ca
SHA512 d9bff87255da49adc19ee1f4809b5e09e8abea34a0981a878d735eefadf122824524e90c331ef63ca6a1ca14f8177a6ae187cec9fffbf75fe8628e23f6f96829

memory/4756-18-0x0000000074940000-0x0000000074EF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.exe

MD5 3a5fda60103a1ffc50d3024efb45a85e
SHA1 8f7db6a728efb711eee96876cdda5f70e7f45676
SHA256 4fce9b8dcfd6e8129b38819ea21642db7bdff088dd9db9d6035d4297802e4d85
SHA512 763e9291166611d216b66d4ea7df7256b174b46b47db54adcadbf47976f14c4499f06e6b367924a8092a71fb7cab35d4d3fa08e4a4820e92ed42ccc72340cae0

memory/372-23-0x0000000074940000-0x0000000074EF1000-memory.dmp

memory/3632-22-0x0000000074940000-0x0000000074EF1000-memory.dmp

memory/372-24-0x0000000074940000-0x0000000074EF1000-memory.dmp

memory/372-25-0x0000000074940000-0x0000000074EF1000-memory.dmp

memory/372-26-0x0000000074940000-0x0000000074EF1000-memory.dmp

memory/372-27-0x0000000074940000-0x0000000074EF1000-memory.dmp