Malware Analysis Report

2024-09-11 10:23

Sample ID 240726-gmavxazeln
Target 875aa8aeeb28f3646c22208934098420N.exe
SHA256 da8bcbbbf398154b18c1f9d8a4c2799af67aff835ee82c8f65365376d236b74c
Tags
discovery persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da8bcbbbf398154b18c1f9d8a4c2799af67aff835ee82c8f65365376d236b74c

Threat Level: Known bad

The file 875aa8aeeb28f3646c22208934098420N.exe was found to be: Known bad.

Malicious Activity Summary

discovery persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-26 05:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 05:54

Reported

2024-07-26 05:56

Platform

win7-20240705-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2220 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2220 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2220 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2680 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2680 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2680 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2680 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2220 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.exe
PID 2220 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.exe
PID 2220 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.exe
PID 2220 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe

"C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8g-drgne.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1768.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1767.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2220-0-0x0000000074D71000-0x0000000074D72000-memory.dmp

memory/2220-1-0x0000000074D70000-0x000000007531B000-memory.dmp

memory/2220-2-0x0000000074D70000-0x000000007531B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8g-drgne.cmdline

MD5 7c4a94743b6c7b2870fd70e85e8cc7bf
SHA1 de5e274f57f57f1938e4b06356204900b4dd6f1c
SHA256 ca0a33390b8776c9cd1295c771eaa3ebe46a009648f1f6ed016174abb990b49d
SHA512 a9dd485cc17466c88f0cbae4a243fe660e460715061b956f8e2b5d905f7f1aff3cc589a98fbda0980f104cc9b83d4764526e2ac62402e61f1df64b3c0bc36484

memory/2680-8-0x0000000074D70000-0x000000007531B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8g-drgne.0.vb

MD5 2b38ffbe47d3ecf204c3a42d5a63227e
SHA1 a0f9e80d85a636811d4ec176bee919bf94855325
SHA256 fb978605e56b2307760f150e7ae53b22dfa3b6f1544e9dc46b1be0653fb18356
SHA512 093578b1a08737dfef3f6dd42adc8b68066da88a1e16838d9af0ab08a03d958884e2c0dfae21a2dc42c2b4da7537740dc72f37b0076259d25a0c23ff13cee1e5

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc1767.tmp

MD5 d0c28f627ef99cdbd7858fce053cbb4a
SHA1 a3547a179b2b74e9c5052b47922367dd6eda3c41
SHA256 6bc5a9759ca3ea3c4ba800be8968a996238baa1a1c80b6bc45451090b65b8a2d
SHA512 57128bcc2bf3649dc653bd301416d7f4a7d87ab4c219338db1df139d2a5562ba525dcec0f5ee045b5bbd80250626d871c36851dd503dd0f72d66ffca8a14df8f

C:\Users\Admin\AppData\Local\Temp\RES1768.tmp

MD5 0bb955a0b27e189a755ad3ed727a7dcb
SHA1 3f232ffed822bb6e4bacaea983aeef67f96bf994
SHA256 43e0597424b0734558443e927bd5562d4fcd1b95de36a18e30b2bf0218535644
SHA512 f9a9a25c0d99a345635df0df1a379a23c519f75d6b3ee62dc6c3dacf5bc052f4feb5fd336f7a1d23a3fe4ab8271538c37f6dc6f243b3d13c879af8d074b397dc

memory/2680-18-0x0000000074D70000-0x000000007531B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.exe

MD5 beda92c87242a7f2d2e66f8abcd2d844
SHA1 e653f8822a6092fcf09463daff54f0570631d086
SHA256 8ac16189b4560bd68c6981d6d9b255a17da29dd488fb31296b9754d1f03198e4
SHA512 aae5d35f6c76405e3f2cd158658b4be0f9164f5534e09bab33437211f7f1cdba48f5fe221fa0dffbd13842ae2815902ac52ede96c5100c89da84feff920c32b9

memory/2220-24-0x0000000074D70000-0x000000007531B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 05:54

Reported

2024-07-26 05:56

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4176 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4176 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4176 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3936 wrote to memory of 3444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3936 wrote to memory of 3444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3936 wrote to memory of 3444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4176 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp.exe
PID 4176 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp.exe
PID 4176 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe

"C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uvtfyu2c.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc278589D3FCAC4536B9294EF427B5E1D6.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp

Files

memory/4176-0-0x0000000075212000-0x0000000075213000-memory.dmp

memory/4176-1-0x0000000075210000-0x00000000757C1000-memory.dmp

memory/4176-2-0x0000000075210000-0x00000000757C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uvtfyu2c.cmdline

MD5 b6a01382255d5c4600cc591de163bb36
SHA1 02dabd39ac4a0bb78d2e710d72017c2bfa1dba8d
SHA256 cf4c8352e1a9ebd87a1d32bca124caeb55610c3c5f809c4b4e227c02a81cbdb5
SHA512 82ce9970053618a1a3dcf52e8658ef3a05de95a37bf6401c0273314c27428da6c5474f8bc3af5f56653fb796e0422f05b91407df510a4a189bde54c13e1baa36

C:\Users\Admin\AppData\Local\Temp\uvtfyu2c.0.vb

MD5 097b841b1925b3042a43b8ed6f3a7000
SHA1 38e6d24167ceb0e2a18ad624d0e523e5ef991dca
SHA256 fe777f282201b2ecfd8f7efbf3356b95267e21483c4f8ff74c70a802fc1c1e64
SHA512 a2681eea72c36983d75c0b66dd141fc975f283b552d72cdf0eb029a22da7c8710db55dbb266b86fb4ac6a654246a75137d94d8731125e68486d297d55c93699c

memory/3936-9-0x0000000075210000-0x00000000757C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc278589D3FCAC4536B9294EF427B5E1D6.TMP

MD5 82a256b4ef652003d2f3a98b1a3d4196
SHA1 ea6aff96ddb53d8436e8a3367c6c4d6102a84256
SHA256 cc9b9be295634421d9d78389dbad5ae211b373276b42c6ecd78b032c311c3e50
SHA512 20d93b9578ee878df547f20727d5d8f623d11842ce27819f408afc37d00fd7d88f07e1a51c35e60d2deb04c0b171042b91422553c0626d7153d6f183f8d23710

C:\Users\Admin\AppData\Local\Temp\RES75AD.tmp

MD5 60b53eaa9ab6e9f5e559d147b22a83d0
SHA1 4b8c1d08df6ae39884d023394fb92b81e02abcbc
SHA256 fca61d753773f9231559bc54a0ca55ada8249c83f908aa39038574baf43dad44
SHA512 eafc32d49d5142daefad1be7225948b66ea9fd44d9ede6c8bf5d6f639e3c169273301f9caf90b9944dcd8ca5d8e1b5deac4e6d6264007872c13af3930d3d2356

C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp.exe

MD5 aa74d6bb3a5f770da503272a5892ceab
SHA1 b4e3c32c43ce98f9945bd2ae5aecb6e7eaa721a9
SHA256 6a9dc2666fa896e83a7b82f4cb3347de2153010ec8bf65afcadfad47a1b1fd28
SHA512 c4e9e53814bf51cf1f483acc63c2485379f15358d6fbe4caab3a59b0f128837967b3be8bc9ff299569cfcc6b02de9fe53b2763e20648c152f9efc1030d63a7eb

memory/3936-18-0x0000000075210000-0x00000000757C1000-memory.dmp

memory/5016-23-0x0000000075210000-0x00000000757C1000-memory.dmp

memory/4176-22-0x0000000075210000-0x00000000757C1000-memory.dmp

memory/5016-24-0x0000000075210000-0x00000000757C1000-memory.dmp

memory/5016-25-0x0000000075210000-0x00000000757C1000-memory.dmp

memory/5016-26-0x0000000075210000-0x00000000757C1000-memory.dmp

memory/5016-27-0x0000000075210000-0x00000000757C1000-memory.dmp