Malware Analysis Report

2024-11-16 13:11

Sample ID 241103-erd21stpfz
Target c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415
SHA256 c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415

Threat Level: Known bad

The file c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

Metamorpherrat family

MetamorpherRAT

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 04:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 04:10

Reported

2024-11-03 04:12

Platform

win7-20240903-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2148 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2148 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2148 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2076 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2076 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2076 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2076 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2148 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe
PID 2148 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe
PID 2148 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe
PID 2148 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe

"C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cjhhoen5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB710.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB700.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/2148-0-0x0000000074DD1000-0x0000000074DD2000-memory.dmp

memory/2148-1-0x0000000074DD0000-0x000000007537B000-memory.dmp

memory/2148-2-0x0000000074DD0000-0x000000007537B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cjhhoen5.cmdline

MD5 8364529885735a04536a79984649923b
SHA1 52e4d6355310c4f9824914e53d57e523fa440ffc
SHA256 943fb44b886a6863a34d2c151012400fd0c13b790ce8006aef19ca7889b9b940
SHA512 2d40ff954bcf7c29f0fd4f166ff5ba0615d13741dbbb901b53ed7df65b582b5c94558080368e2ce705ea3bf6fcf689112a8a3cbd60b3e67eb6f9375a291f57e1

memory/2076-8-0x0000000074DD0000-0x000000007537B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cjhhoen5.0.vb

MD5 7717496b5c2187925382cbb70566071d
SHA1 d67cb1da8a3ad055fc39a946db5e325db83ae7fa
SHA256 31aac4fafa8495d89dbe2de62442f17207baad495edf1418c4babf89ee64b5ed
SHA512 1ba661fc6850c10f2256605c6c60d16e2d1432e52445b456539e1ff73725eca984d7c8beb41a25ed8b97402a9de610badbf6c5d07c70db0a704c4810c2f8489e

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbcB700.tmp

MD5 515eca68dab3c76a8e1af10b1c528f16
SHA1 15db143d5bfaa105f47e8b656a0485b766e858aa
SHA256 3355335ed9ae09dd14bab2c1dec0b76f04e15123a6aa8df3a5879bb605cd25ff
SHA512 2498bd5120450ea05cf69bf6bdbd1183a5e88333486278538b39b182f4440463b173466524c4e7456d217f891b80630ae1d19fa98ebdd296c8f069cbd8725a9d

C:\Users\Admin\AppData\Local\Temp\RESB710.tmp

MD5 dacd6e195513b5dd395e1d6407428a7d
SHA1 edb51f2f448b6c6c6aaf9c0688a837754bb27e32
SHA256 6578e994a45f82d17e7336685e7c65f5ad1048ed5996ef6ddfb0d5ab7189fbbc
SHA512 1567a879039598b0dbbdd943d10798789aa1d095f5dc13eb1b75c61f2a94688be8b89b34425b072b0aad9ff582ca2ab0f064a4d89a09921d711a27620352191e

memory/2076-18-0x0000000074DD0000-0x000000007537B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB55B.tmp.exe

MD5 3724c45c6e845bdac7560fd6eeae0e6e
SHA1 a36e39f272fe27b260e1dc144ea50e176752615a
SHA256 9e5e18acf42d0e634074264c9c58f183179bef6de9c728a2e2db18dba3353349
SHA512 af25349f0cf55be854d38879dd27de0e710285acd03418af9887529b6d123b110aa189ccedf1fdf8faf9c5c809f2e30fc2d1737ad4514dea1c97cb7e76d260d3

memory/2148-24-0x0000000074DD0000-0x000000007537B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 04:10

Reported

2024-11-03 04:12

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4124 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4124 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4124 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1192 wrote to memory of 3700 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1192 wrote to memory of 3700 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1192 wrote to memory of 3700 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4124 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe
PID 4124 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe
PID 4124 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe

"C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4e-ugpkl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AAC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92A6D2CB2F5644E9B2E64CC68CE0214D.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/4124-0-0x0000000075012000-0x0000000075013000-memory.dmp

memory/4124-1-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/4124-2-0x0000000075010000-0x00000000755C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4e-ugpkl.cmdline

MD5 c940963f45c8cb91a18e378f4c0ff08a
SHA1 56d1f12198b938a3647254772bd870b70e12d472
SHA256 2bb2bfc22ca509f52cfbab3292cb761f618b058fef838e41778e4dcdb8c4c33a
SHA512 8f10a83962265d79813a2e25459b779a5af6bbefce9115c0b2b247cd0a013e5f57c140f53e12d6cbd79a25f254c1c5476ebdf6d7c14ce3e76a6287663696d452

C:\Users\Admin\AppData\Local\Temp\4e-ugpkl.0.vb

MD5 4c372b8ba364cf4efe7306a60e161bd9
SHA1 824bf5d02cac40cbae27bf9060ba82c7d6908515
SHA256 774b0fe21b02d4f14c56e213d39779bdc370265d591aaa501e1afece76a2d94e
SHA512 bbaaf4054d4d0b5076fc2a2adcf01f03287a727521ec637f5975e793ae78e1233f6c7412ef8ddb51b419c710404540f968bb1808769e5ce0168adf07e4d9e678

memory/1192-9-0x0000000075010000-0x00000000755C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbc92A6D2CB2F5644E9B2E64CC68CE0214D.TMP

MD5 ea4cc557edd440c57b265a1a3ba113f3
SHA1 fe84def0bf99f9d1c51b7d3b74db4ebb6a6d3114
SHA256 25f9e12e3f64cd48fa9f17c9e554b59cb0a2debf48afcac3912051c3a32ee845
SHA512 336af301a236acc0932475d3397e819c667bf2e9fc5bc4b23b9e4a127f729ac243f0c236fb68368dba5757e80f5d1633c919c230076ad353d32667f12d695d62

C:\Users\Admin\AppData\Local\Temp\RES8AAC.tmp

MD5 8d4805a2872e949916b20e5a3741f6e8
SHA1 0343691c7620c8e78a46d3580f359850a22fc864
SHA256 1e504c26812fe9c8da304b1c90b6e13965cceb244bc3bf0af6cad6404208cbc1
SHA512 b42fcbae6fe55a02735dd493f94a61577c8bc189d3bea91fbc67dfa9435efa6c2c9d7322505d1f8fa4084f44618ebf6384e37720377a1eefd2395bb8bc5d115d

memory/1192-18-0x0000000075010000-0x00000000755C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe

MD5 22810df01c4b3f3277e4341ca127488d
SHA1 e32b14296283f1a91ab5315010bfa5d473e7db71
SHA256 ffe33c77d827e1ca9bb2d390597299cbe06f47b6b07de2d147864f5582fd261c
SHA512 6de91b28a04a20793d46b1dfbaff8786c8570ffeb63c19385786054fd48ea03a07e9bb62bced7558b341571968d03c546b8a7ab544f02752db166b36bc6c46b1

memory/4124-22-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/972-23-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/972-24-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/972-26-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/972-27-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/972-28-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/972-29-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/972-30-0x0000000075010000-0x00000000755C1000-memory.dmp