Malware Analysis Report

2024-09-11 10:24

Sample ID 240726-v77bhaxblg
Target 38aefafe444a34c9974398a96bb0e100N.exe
SHA256 0475cbfbd69fbc14a9e9bc895b8afbc1569a01427a92a4b3ce80eb68231647ae
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0475cbfbd69fbc14a9e9bc895b8afbc1569a01427a92a4b3ce80eb68231647ae

Threat Level: Known bad

The file 38aefafe444a34c9974398a96bb0e100N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-26 17:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 17:38

Reported

2024-07-26 17:41

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4952 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4952 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4952 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2036 wrote to memory of 2196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2036 wrote to memory of 2196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2036 wrote to memory of 2196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4952 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe
PID 4952 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe
PID 4952 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe

"C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3dfc2x3e.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1FD6A38A81A7421A88621B5CFE5B25E7.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/4952-0-0x0000000074732000-0x0000000074733000-memory.dmp

memory/4952-1-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/4952-2-0x0000000074730000-0x0000000074CE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3dfc2x3e.cmdline

MD5 e09fd7941a7391a285770b0a6cd02567
SHA1 922684eb6beb1be25e137fc68ad288d36284a7b9
SHA256 c555c4954f0cdd0816312b95ba37dbfeb47a59d3e29f9ed51e351fb8ebba59b5
SHA512 bae04678fc2e2cc2fd0fd557d3b4a80be1ff20ae5fea985058e6a39b8864385b89986ecea95dc8ee99b5693a4eeb45b3222331976af5915e65075794fac0b9ce

C:\Users\Admin\AppData\Local\Temp\3dfc2x3e.0.vb

MD5 29d3f59dded7b1b0cda4be19486769aa
SHA1 2bf87970fa4ee224f5298ce4b1757a3bb9152825
SHA256 bc3c4c20c538b7a8067582a44804084157a76e9cc00910daf9e4502040299d43
SHA512 7d97ad0464db5671dd9a3e6ac203c39444501fc4e9ead4ba53f89812f15ea602b1e1488b472efa1616ff6b8d76ee24e03e8b5b0d58e82c7c3c54dcbdd4a8c3b7

memory/2036-9-0x0000000074730000-0x0000000074CE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8b25b4d931908b4c77ce6c3d5b9a2910
SHA1 88b65fd9733484c8f8147dad9d0896918c7e37c7
SHA256 79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA512 6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

C:\Users\Admin\AppData\Local\Temp\vbc1FD6A38A81A7421A88621B5CFE5B25E7.TMP

MD5 a5ada5f00d91d3ff1c6b2937f036908f
SHA1 54c3b9e339a35f7b3fb72c5290546576453a77d1
SHA256 8a42261fa32f829411ab4d1a1112526cc6d0c154a40263b868ea56b468964aec
SHA512 12763f48c941a220e278ae55316f5c9ed000365bb2697953f68e5087a78aa13b036956a85327188a8aca54bb433f4cac3250674b0e4531288932865345e44a71

C:\Users\Admin\AppData\Local\Temp\RES81F1.tmp

MD5 4e7d87b69a5641730fec7c2979b6952a
SHA1 2705c05878fd97a3787d1d9ebdec7438510b9036
SHA256 c812f4be5e257851267727ede86ceaabadd552c272f3923f6875b8cb9c95187e
SHA512 b773498cfeae5bf7f9279bc9f1467b98191ba97707941be06c9d6c9cf8820494ad3a7411cd826976601bf5cf85b928412d6edc880abbb4720710cdcd49b3e4ea

C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe

MD5 d226c68c333241281308318fdee78c63
SHA1 3fbc55eb77529c2f88fa549608c698818e27b534
SHA256 bb59373eec0a79c859d87c6936c194d23b8b33e14f53fec9a3d263f542b464e4
SHA512 d571ba3ccab07e9fc654bf84471a35001f5dff52034b6ba163927f736295b318081ff95036928954396a900f3f56459eb7caf4f3f037ec00f3e6fa5059bb5b77

memory/2036-18-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/4016-23-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/4952-22-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/4016-24-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/4016-26-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/4016-27-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/4016-28-0x0000000074730000-0x0000000074CE1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 17:38

Reported

2024-07-26 17:41

Platform

win7-20240705-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1036 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1036 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1036 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1036 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2336 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2336 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2336 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2336 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1036 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe
PID 1036 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe
PID 1036 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe
PID 1036 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe

"C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ucw6nifd.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4C4.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\38aefafe444a34c9974398a96bb0e100N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/1036-0-0x0000000074D01000-0x0000000074D02000-memory.dmp

memory/1036-1-0x0000000074D00000-0x00000000752AB000-memory.dmp

memory/1036-2-0x0000000074D00000-0x00000000752AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ucw6nifd.cmdline

MD5 e730269dcd98bbc16d87b916b093bc59
SHA1 253e309a94c1d6e268a8ea3f952d1dcadd2ac2c0
SHA256 ef7cf3279fb3e64ab444f6a71666e89bac9d63eddce5299adb2b05496224ba80
SHA512 4998e8e6dc1ca56e64e370d723ac9730807282e58d230ef2973bcbb8753d855668d1e12951751848eca93ef30df7515e9791425225d400b7fda986f380b45d64

memory/2336-8-0x0000000074D00000-0x00000000752AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ucw6nifd.0.vb

MD5 49035f747be97e1abed6e9016c96c61d
SHA1 6fc3b0a8272ba92d45428b58334cf6c76fd5ec4e
SHA256 28f97c23dbb4bb3f877e61c056ee0eb3a3d5be1929a6796757037c8093168d53
SHA512 faa80669473872fec89533a2e4ff8ab757084ff6e07c7f722a982782ddef1e6522a7d535933dc9d2b63db36b1eeaaa3ee7446cf73dc9f2225235e356a4662916

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8b25b4d931908b4c77ce6c3d5b9a2910
SHA1 88b65fd9733484c8f8147dad9d0896918c7e37c7
SHA256 79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA512 6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

C:\Users\Admin\AppData\Local\Temp\vbcE4C4.tmp

MD5 dae8d8006a08569babc234e11b5d1e59
SHA1 371b9330d1bc03d87fde522b4c73e60aabe2d9fd
SHA256 2c02bef5904c77941c2b155bf495a96d4abcd6262b1f607fc3cda8aff188e145
SHA512 4da10fffb31448ddc3fbdedc5236571271b7eabee10d2504244efd9860867d6a64bb3bae0fe3a2fe048617fe24f666973f0136fd879c023bf69142a07b0a3a18

C:\Users\Admin\AppData\Local\Temp\RESE4C5.tmp

MD5 e8c60deb1c469c65f85ce471c87cf20b
SHA1 ed92d263328dbc2f6b427a492f8c83b36c27120d
SHA256 2835f8c3252d43d5fc868dfd798aa70333209ab0351b4b1bd39107c185bb27db
SHA512 0b19976b2365f830a62cf6108c51623b68e4c404cf6c2b7218e55ce70bc4595844feb503997dd39768a0d9bf35cdbcb6e59dfa0f18427c838c934f6ee4634109

memory/2336-18-0x0000000074D00000-0x00000000752AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE32E.tmp.exe

MD5 403ff7e6402b789632f06227b58076cd
SHA1 e3a85eaf65351dfb8905e87799c9e155fbe948c1
SHA256 7af999b6e38591fb62341dbd3f2a1598f05fe888d78f6db4ae750432a905c20b
SHA512 70c771a1b78e0e4c1760d52d47396d40ca3123cecd1d1a1d5fa8fcdebd3e5aa46ec4a939d3572f0fdffb32bf7e84f9af9ddb45f6a69dbc8858cf0e36ae9ff0b7

memory/1036-24-0x0000000074D00000-0x00000000752AB000-memory.dmp