Malware Analysis Report

2024-11-16 13:12

Sample ID 241103-t37wsszakj
Target 5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N
SHA256 5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527

Threat Level: Known bad

The file 5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

Metamorpherrat family

MetamorpherRAT

Uses the VBS compiler for execution

Loads dropped DLL

Checks computer location settings

Deletes itself

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 16:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 16:36

Reported

2024-11-03 16:38

Platform

win7-20240903-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDE7D.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpDE7D.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpDE7D.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpDE7D.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2324 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2324 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2324 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2288 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2288 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2288 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2288 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2324 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Users\Admin\AppData\Local\Temp\tmpDE7D.tmp.exe
PID 2324 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Users\Admin\AppData\Local\Temp\tmpDE7D.tmp.exe
PID 2324 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Users\Admin\AppData\Local\Temp\tmpDE7D.tmp.exe
PID 2324 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Users\Admin\AppData\Local\Temp\tmpDE7D.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe

"C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1kfy8kqq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF68.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF67.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpDE7D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDE7D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2324-0-0x0000000074121000-0x0000000074122000-memory.dmp

memory/2324-1-0x0000000074120000-0x00000000746CB000-memory.dmp

memory/2324-2-0x0000000074120000-0x00000000746CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1kfy8kqq.cmdline

MD5 d7b70473e0347564b032076a8b6fd237
SHA1 0c63eceb55600ad0bfe61eb371a28a1cffc06e94
SHA256 b359c386a747345f321848aa372614f0ba7622b6a48d5e01fc181ec061806f6d
SHA512 bb1cac064878ff571ae0bf0401bcb1a4aa549056177654bdf02ba678eb077002d7dc95071a933759acc02883f7dce6a20084d7dba7a67cb3012767494a0e5cad

memory/2288-8-0x0000000074120000-0x00000000746CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1kfy8kqq.0.vb

MD5 59f1d640ad5c9661c52e1a55ad5f6627
SHA1 e1630e60ee500aee6d17e59c865df7df78a90681
SHA256 250fd44c3b2b179c57334bb89ab45950c6a8ba41c509872fa4f99ac59e3f348f
SHA512 8360de554d7ca38304b6832ca1a483ac7c8e08eda691e1aa57425d8b9783e3884c3c03626053f31c381b3ba49f926d5e83ba5773a6851658fdcb910bda7b9cf8

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbcDF67.tmp

MD5 a3d2edb5ca5367053e45b848acdb3103
SHA1 eff88c453a4417e2cde5fdc35f46e8854b3f857e
SHA256 5224f2eaaaa56379d159d05225ac49876d1df91e6d5b932d4a52fb53ce6148bf
SHA512 67100ea046a4956be8ebc5a89152639b31a9674a2989e56ada7b0872db1230eb363f7d5f8a714363e8e7ec48d385ef0715e901aaa1db713b51820797983a4ff1

C:\Users\Admin\AppData\Local\Temp\RESDF68.tmp

MD5 a2632175fe81455be56181cf2b8b3578
SHA1 66765db01149923b81e8e82b728dccd4f05a41f7
SHA256 bd3805052b7caac986394d0dc9db1ce466b6ac764ab7f924be612d486adc3fb4
SHA512 4e3fb962fa15fe278ce1db402935b462d19bfebd4dbf1be75d04eaab59db6a94cf766b82c18e7d59b722b231850fa382184870b34542f9317014e1379c0be47d

memory/2288-18-0x0000000074120000-0x00000000746CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDE7D.tmp.exe

MD5 e68c4bb2d5f5407a201b1a0083b4a532
SHA1 e144287bba3edbb1c13067705bc2f0a984ee3490
SHA256 f68f3e0c6f0aef7970df1e4f8dfe0bbae62d7e1741b26b8178e8311db8cde42d
SHA512 5de3a66fea8b033dc45d301879b35a1ae58db2c02a58aca1b60bac1530c1c016fdf679fb9a7da04579c8535ecbec86baede77c08ce3766fe581d85bdb0e9c4c4

memory/2324-24-0x0000000074120000-0x00000000746CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 16:36

Reported

2024-11-03 16:38

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA604.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA604.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpA604.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA604.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpA604.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3296 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3296 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3296 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 440 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 440 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 440 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3296 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Users\Admin\AppData\Local\Temp\tmpA604.tmp.exe
PID 3296 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Users\Admin\AppData\Local\Temp\tmpA604.tmp.exe
PID 3296 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Users\Admin\AppData\Local\Temp\tmpA604.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe

"C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r7kzuuav.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA77B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc753B3DAFBC0A44B6AF3DA0543E53B195.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpA604.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA604.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 155.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/3296-0-0x0000000074EC2000-0x0000000074EC3000-memory.dmp

memory/3296-1-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/3296-2-0x0000000074EC0000-0x0000000075471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\r7kzuuav.cmdline

MD5 a543f16c1f6fc1d330b54b3b36c1c722
SHA1 c9d435340d65758a4617e6f7f99a80e6ba105360
SHA256 fad8b55e7ffb0c95e52f82bfd706eac1925f0b9d116fce92748440a1a9946b71
SHA512 6d0027d745f5317221d291f148d13cb6fd95241f2049195dd7f47d636eb06fed8aec77e53d0999eec5bc2786f5cbcb6e5c3dc6a31a675e044e2a642512415b45

C:\Users\Admin\AppData\Local\Temp\r7kzuuav.0.vb

MD5 ac0b8435ee00ca2f4f04bb79ceddb908
SHA1 26041c9b02a29cb886c91649639c46b640c2c11f
SHA256 e7f2cbcce81e0d7a03d08d3deb9767aef0116b992b9098d9e3b6bc17e483cb8f
SHA512 587c7413c880f428b15690c89900a07bf1c62fe64f0720e7a6ad1105fbdc244a0150ce731305da54f15a9cb0af65b75b80105a02dd69262e3331e865bd6b981e

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

memory/440-9-0x0000000074EC0000-0x0000000075471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc753B3DAFBC0A44B6AF3DA0543E53B195.TMP

MD5 34f90ec5a2731f61a6a3614c37ee4723
SHA1 31530a32a99cf36d3c86abec4345d19dc7531ea3
SHA256 4bd7d640e3dcdadb1507e242c73d5d7ed1187ed3d924c765196b2f84fbe0a9d9
SHA512 baff346eabda6a4297dea01f2cddbc4bfbfacfbbe7d03c8035cc2f80acb3328b3f577959f0566876f6a07d3c67c9ddb2d68ac970e5e13e99ad76e0d6732bf371

C:\Users\Admin\AppData\Local\Temp\RESA77B.tmp

MD5 c4b77756a7367021bfaf6688a1359265
SHA1 16f16acf20d1e1736ebee1f13b874ce5943d3a5b
SHA256 c39d693d6dfceb2b04e826a7ef92c76370a5ea08c01c4f01520c6fb31e82ae11
SHA512 fff759028992e773ee94d8931614b80a123d06072f484665c7a3e1fb6e4f81f84b843acd9911dedafdec426404b8019b2121674ca3ebc2def7437db7e49c7350

memory/440-18-0x0000000074EC0000-0x0000000075471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA604.tmp.exe

MD5 803709855011faecbc41dcc51bcd099e
SHA1 c799535147a670a3803acd6e3f58f91b0b84706e
SHA256 b57b90ff4da8848362ad295e4339d7f29f7a90749a319ad8fd30fd31ba9ebdee
SHA512 f1842591965a360cd11e24740f76a71ca222fdebfae1ca94875b757bbf052b3b24738f4e9e95bcac00e3a3c25211ad1640ac6bdec93a05d2f4809ea3004a20d0

memory/3296-22-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/1300-23-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/1300-25-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/1300-24-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/1300-27-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/1300-28-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/1300-29-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/1300-30-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/1300-31-0x0000000074EC0000-0x0000000075471000-memory.dmp