Malware Analysis Report

2024-09-11 10:24

Sample ID 240726-pysh4asbka
Target 0cd87830a30b703bdeba484aa1303bc0N.exe
SHA256 93a8a14bbf42e8a7bee6ab857932894988996d25a3e491b6ef4323914b1e3d9e
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93a8a14bbf42e8a7bee6ab857932894988996d25a3e491b6ef4323914b1e3d9e

Threat Level: Known bad

The file 0cd87830a30b703bdeba484aa1303bc0N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-26 12:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 12:44

Reported

2024-07-26 12:47

Platform

win7-20240708-en

Max time kernel

118s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2948 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2948 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2948 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2288 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2288 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2288 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2288 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2948 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe
PID 2948 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe
PID 2948 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe
PID 2948 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe

"C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\duh3jati.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90CB.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2948-0-0x0000000073E41000-0x0000000073E42000-memory.dmp

memory/2948-1-0x0000000073E40000-0x00000000743EB000-memory.dmp

memory/2948-2-0x0000000073E40000-0x00000000743EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\duh3jati.cmdline

MD5 c4bf374c274506f6a6adcfb05bcdd51d
SHA1 3b389b6447afd65d640c1094185df4a06c4ffa2d
SHA256 4c1e013ca3b3b89772bf374aded6eac6e87e89a3564a64ce84f8b18b4de43f0d
SHA512 02e5927ccd526d193698b561e805bfda6531ca3628bbdc7c32bb54e4e664b25f8a7e1979fa248a4c5ca6b37cecbbe2bba3d282fd92a94531756f5ff3c5d6ecc8

memory/2288-8-0x0000000073E40000-0x00000000743EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\duh3jati.0.vb

MD5 5121182d695f6ebd7dde4381a1c0771d
SHA1 1132ace86cef8dfcdfc07766a14606ff5ca5536d
SHA256 3e3fe7c0343e92e7d0e4bfab40f2407ee2eb0218cdf6653f2f35a0ab30f6eb45
SHA512 645e5ff5bf49e9daf69257557fdb97441011a1cc1884d90db73dd68a5c1dd6c2eaff63a965f13a95575981349527c23b5b35865daca56281a4b06d80d6c40501

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc90CB.tmp

MD5 23622f3c021eb50ae7c2f5bc0477086c
SHA1 4429c9d7b40a55ae5da0d0deb4b644f0b78fb019
SHA256 189f4a7a281dba6ce0ccf578041fa98f9fc03c3ba2d853906957e272d9332ea4
SHA512 478c0de7a36f8060fa3e0af2b11deb00b34abd4f50453267a6c4cbfd20994c3cf9005aced50ed2c19b1659bfedf0aac70106670cffb8249e6ada54ca9cd5a4dc

C:\Users\Admin\AppData\Local\Temp\RES90CC.tmp

MD5 e5d9abacac08a3dd76bb23b947a541eb
SHA1 daea68219201f44aabaf5d6ca8e1672815bf0808
SHA256 b8804ce8cd49451f13e6f72697ba2d1dca185d623ac01628aa50e3bed93ab597
SHA512 8be36b11c73d48c6ce3ff162bb9c77ce7cf99a4072df0d6cfd4cf62fa0f8bcf4a36624c3bd89ae46ba661fae31167e19b280479846c33af7a7e51eb9f6da7d6c

memory/2288-18-0x0000000073E40000-0x00000000743EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8EE7.tmp.exe

MD5 3f36e702f4b5c23ab6ae0c3d4fe0644d
SHA1 cbe1015762d755c2bb651225d6f663713e6f1428
SHA256 4676f2c9eae9ef8c9c2e3410fc236ac01d6b7ab7cab3454aeec217585cb82c9a
SHA512 b66eab3e889fe86c497d9f86b7c222acddef9c01aff09fa36dc6e43bf94028ebdc4614b83e896ee759e3903a5c875f0af0b9690bd084473d69659f2244bfbdbc

memory/2948-24-0x0000000073E40000-0x00000000743EB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 12:44

Reported

2024-07-26 12:47

Platform

win10v2004-20240709-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1432 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1432 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4720 wrote to memory of 4484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4720 wrote to memory of 4484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4720 wrote to memory of 4484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1432 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe
PID 1432 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe
PID 1432 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe

"C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-vqkvimm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES782D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4524653661F14D46A799F9E817DD2C5.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 36.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1432-0-0x0000000074682000-0x0000000074683000-memory.dmp

memory/1432-1-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/1432-2-0x0000000074680000-0x0000000074C31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\-vqkvimm.cmdline

MD5 4b3a2f46d63a7c81ebc3afbc6f6a0f4a
SHA1 c7d13519c0707efcec4faec921aca325743217ff
SHA256 8b94b8339bfb6ed61c2e8228eac8f983317e644db6717827cef8971596c52bd5
SHA512 93234de73a6c926e6dd1b6886fe218c1b41aa6de0e38e25ec60689117178290a507bbf06491b9d908fea03b94526237f698a8342baa46c4c019a226b362b38c3

C:\Users\Admin\AppData\Local\Temp\-vqkvimm.0.vb

MD5 85e6fda5aae3d9a8c252130c857b52f7
SHA1 eba8e960bcbea9d6ceded1f13a5c96bf47fb2966
SHA256 e111df07556062b0f24c5a6ad8a450efb83214799bd7492a194420a0c6cd40b9
SHA512 c4d7938d7c8e96aba73eb17d8d2df453c00eb126129927144add89c579ae931e7f638e4fd4ce318747333b8e16ef9c942f92728fef0e22c3fa4e170717ad8124

memory/4720-9-0x0000000074680000-0x0000000074C31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc4524653661F14D46A799F9E817DD2C5.TMP

MD5 505bb13f003b9830245165c4cb66ba58
SHA1 5995e5280453389e98cbaa4a543c1f47f413aa6e
SHA256 3e2c02f6af77e5d8b52c04ef4ac8a40fdf4934aa3ea8714b0379c571b930cf2b
SHA512 02f6dfda1b7729451382787160888962638a1dc12fa2e879ceaea448d7708c4e73ee78c7cff837870c3cecadfc2bd28d957129e7ee2905c98ed98a9729a59286

C:\Users\Admin\AppData\Local\Temp\RES782D.tmp

MD5 677ac2e078dbc0a0d5e46b2ae3fe4be2
SHA1 597c97c2fd2b76f6b09889c6f718f842174fcbcc
SHA256 34edc1e4f0bfe7479fe61470a8e32f2d8bac724c62220063bed4906dc850ba11
SHA512 0e6fc1bba58f686af7878e41e4aefd6294fc0f707de5e244c0230c7e7a5535a36a720b6251a767d36d4e2597ce91371c98bf82cc9688665e681ad207865aff27

memory/4720-18-0x0000000074680000-0x0000000074C31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe

MD5 a4e7f57b23beef1431e4218186b6f5c1
SHA1 b978b67cc769bb52a18b7e4539332320cccd1989
SHA256 04b85c1f58e8e4a61a499c9d0939464a320fd77f6cba98df5bd3fb7002c98377
SHA512 11bd760461e0dd53b03956a903a375438b06a3a506f41f7a1f66c39defae795f2ddb7510f58ac4d90e2f4e6e4a9556bf730823c51a1bf35a02f762e60d6da8a0

memory/1432-22-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/5084-23-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/5084-24-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/5084-25-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/5084-26-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/5084-27-0x0000000074680000-0x0000000074C31000-memory.dmp

memory/5084-28-0x0000000074680000-0x0000000074C31000-memory.dmp