Malware Analysis Report

2024-11-16 13:12

Sample ID 241103-t524bszapm
Target 5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N
SHA256 5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527

Threat Level: Known bad

The file 5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

Metamorpherrat family

MetamorpherRAT

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 16:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 16:39

Reported

2024-11-03 16:41

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7A00.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp7A00.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp7A00.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp7A00.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2320 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2320 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2320 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1592 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1592 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1592 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1592 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2320 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Users\Admin\AppData\Local\Temp\tmp7A00.tmp.exe
PID 2320 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Users\Admin\AppData\Local\Temp\tmp7A00.tmp.exe
PID 2320 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Users\Admin\AppData\Local\Temp\tmp7A00.tmp.exe
PID 2320 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Users\Admin\AppData\Local\Temp\tmp7A00.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe

"C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\luvokjsq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AEB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7AEA.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp7A00.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7A00.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/2320-0-0x0000000074421000-0x0000000074422000-memory.dmp

memory/2320-1-0x0000000074420000-0x00000000749CB000-memory.dmp

memory/2320-2-0x0000000074420000-0x00000000749CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\luvokjsq.cmdline

MD5 3cbc354281ee30683138631caf8768db
SHA1 f8a9ae7c773206a1bf778b1a0c3b6386cc498e51
SHA256 ae18a8bae7025e32f22e0a05aa52ba4c442d567a9dc45d334af207d903662e55
SHA512 0b48d18ed9edda61bedabe8f03882e17f0f13fe73e034d5ff8c912ee73cac0bec30a0ac5e0cc950fd5e8310267eaedc968f8cfef3b2a24f37390882e6257686a

memory/1592-8-0x0000000074420000-0x00000000749CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\luvokjsq.0.vb

MD5 217c90a214992bfe084ddad2f251fa7d
SHA1 70739c2c1c39141f2367ff2ef6c9dc083fc81fc1
SHA256 6fbfef5b5c663880e1041d9bf7fe6e12b07426a8379de9d44d2c30a40db10335
SHA512 e11397c1667390ac953c6c7ba641fcb7f5124c557ffa3a251dfea54dfb92b0f9c6e9f0531cc9ec47ff9d816aa1219e369607eb85019b339fbcaacadab73c3397

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\RES7AEB.tmp

MD5 3876ca5b87df5816169ee1dc10a0ddd9
SHA1 e10ceb2684cb9fa156b0462f5635947c3963ab19
SHA256 1f84c98bee577f30451d10cc87f65fe759fa010b0ecbc9c6d797f2c28edef4ce
SHA512 c89b6a49d00a3e04fc6652e0d6d72c9bce8a67c49a4b3066b1eb2316cff69087e26070ba06e72dae069c5c6ffa973b231f93c5339abe0fdc6fe06e2cf8c3530d

C:\Users\Admin\AppData\Local\Temp\tmp7A00.tmp.exe

MD5 54fad5b1c452406fa6e4da3cfc0587be
SHA1 5cc52ccfee2d3113269b0b03aef87b25ec981601
SHA256 e2bc5298f30b968fa3509ae98930a790f0d67b3473f962b69a1ddd2699f4993e
SHA512 888b3da9d83cf7de59a0b59b85c6244b06c3563011afb0fe656679392646dda16d8732d3c2381a87adc0c3d3db0e7504d7693678979619d9ba0d072594e586a4

memory/1592-18-0x0000000074420000-0x00000000749CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc7AEA.tmp

MD5 723166eccc20cd6674cb29d01989f1fb
SHA1 d7a49ce93016e083bfda996597ebaf5450088eab
SHA256 3c4730a2823c5c7cd1ac741b201082aaf64260286bed47a788f0a1eb8c2b185c
SHA512 2b930ad11fb7377a6a405feb65cf21480376401fd11ef926fbea62d5e9e6bc0e08f4c12bb6b433326119fa850982df37f2119f1efdb2d35c474feedc19dabe6f

memory/2320-24-0x0000000074420000-0x00000000749CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 16:39

Reported

2024-11-03 16:41

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3472 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3472 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3472 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3628 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3628 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3628 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3472 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmp.exe
PID 3472 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmp.exe
PID 3472 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe

"C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ikqcolr5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7956.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc506D392D9F5E4B1BAA2EF1B930A6383.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5cbc4ab09ff0de780dfd11e8e99840f89ad6954af5a58240bae5d06ab3b1b527N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/3472-0-0x0000000074992000-0x0000000074993000-memory.dmp

memory/3472-1-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/3472-2-0x0000000074990000-0x0000000074F41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ikqcolr5.cmdline

MD5 3fdf30bb04c698418286563a6c1d6efb
SHA1 47f66807419d4f39eb60222c71fa59e5822a5963
SHA256 6b72a21bf343dc8907ee4a63aad73a60be5ba74d31ffcd67c51ee9e31957c9d8
SHA512 892ad84c7510073bfcb6cae82913f8feeae0a15b8a7de4a3fd28867ef7408b6019c770e9f6346c5a4553eb3e1100a5298e7f290e33c87e80adf85753e4093f7e

memory/3628-9-0x0000000074990000-0x0000000074F41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ikqcolr5.0.vb

MD5 accfff978ee070ae00ea255523f82fd4
SHA1 2cae60838cc43c8c211c561df898e6772be2eaea
SHA256 1eb1b26ee76814ea5f24f1190167d913dcdea85cb30e482d1cb6c600d3b4dfbe
SHA512 3ee86c510d7ac12c141f56ae1e448849fc63f1928f798ba49aaa27312c6ef3899dbdae8a302de8b180d55ca2182a14c4d332ceaf6fd47bd8bcd26f9d20e2c782

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbc506D392D9F5E4B1BAA2EF1B930A6383.TMP

MD5 b19a4c4d370f6dde66172a8c59c210a4
SHA1 ec9d4e44c58dfe6ca4f81938a2c296457c45c756
SHA256 31e6e811cb9b9e84065d93be835ec695190f77ae5b836c6e01bff52ef93740b5
SHA512 e07727d07ef90faf5455c445ac433c424c00c03302b7184f2f322fb194bb5d42fbb1e582b7565a250a40a4cee0de863e7ed224e6bec2ba42c7aa439e12c54f36

C:\Users\Admin\AppData\Local\Temp\RES7956.tmp

MD5 6faf6ce6610a0b9f12da427385f3c770
SHA1 b378a9b093b6a629b127d35d3a0ae3dccb07ae5d
SHA256 1713b0423b7772504eb4ee20634acc68044b20dc7c7cbb9506c5626a5dbd5a43
SHA512 32f3249b96f16ca2cced4e13cfca9acbd5281483b1b801b5702336a210ff30d8bf361b277f7ba7f6d55c4673b5a18f945f2a8f2f111267e0650c2554c4c4558b

memory/3628-18-0x0000000074990000-0x0000000074F41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp77B0.tmp.exe

MD5 11fb429aeba84c7c8d02396f60336943
SHA1 385147d704a3de674dce6d81ea366085cde41e50
SHA256 90f75b3e5da2476c6c676ebc90eb56668e59f1436f0cc200066330b1ccc21477
SHA512 49e2826cab0dde7a48fd62c310617441284cd5b696da82b947a4ce31ac8c9360ffa70859efec91588ba0bde72c917e22b635e87cc3a776c27f9f460497d7d10b

memory/3472-23-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/540-24-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/540-22-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/540-26-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/540-27-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/540-28-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/540-29-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/540-30-0x0000000074990000-0x0000000074F41000-memory.dmp