Malware Analysis Report

2024-11-16 13:12

Sample ID 241104-cd4dms1cqj
Target a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N
SHA256 a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610
Tags
metamorpherrat discovery rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610

Threat Level: Known bad

The file a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Checks computer location settings

Uses the VBS compiler for execution

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 01:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 01:58

Reported

2024-11-04 02:00

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4084 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4084 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4084 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 216 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 216 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 216 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4084 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe
PID 4084 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe
PID 4084 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe

"C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oiqsv2ey.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES886A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6DDC5083998403A895D4CBD9E2457.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/4084-0-0x0000000074BB2000-0x0000000074BB3000-memory.dmp

memory/4084-1-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/4084-2-0x0000000074BB0000-0x0000000075161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oiqsv2ey.cmdline

MD5 41f058954a98b9edc1f80ba8738d4917
SHA1 90e999da481a53e5d58076cbdaa19291a9a59dc6
SHA256 3d48dc2e7f16b128159852e9124fba80d4656e74b6643b0550b833e5df290f15
SHA512 9d3da70715b37610c57934ef473e30debee6a1d65cc87e541347fd0feaa1b6c209befe3e08b4397707d43926edcd1659326c66c9ea04cd2bd3ea21b88ca98c1c

C:\Users\Admin\AppData\Local\Temp\oiqsv2ey.0.vb

MD5 2d43da31d22b226443b7ad9724b92a6d
SHA1 342d70a07b7007edfe6efdbb9a7cb79eb48b2937
SHA256 e23ce3c32d6e930d4955ac80e76a2159c3871af3e093f7e90b66ccf32d0ce672
SHA512 e8e5033a4a13eea5ac2df90b0e6ff2710bdadc133cc34465f1803b0031de3dd5fafb88cab3485471ae5ba275b91999ca83f08117503989481b68afeae9b81d85

memory/216-9-0x0000000074BB0000-0x0000000075161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 484967ab9def8ff17dd55476ca137721
SHA1 a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA256 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA512 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

C:\Users\Admin\AppData\Local\Temp\vbc6DDC5083998403A895D4CBD9E2457.TMP

MD5 fc11ea13424aa8429a24a022962ea6aa
SHA1 c9e3650897479214850263cb7b1fa9d7869d6a15
SHA256 1e65ce00f19c4c393a4b7b7fcecfdc96ce4c48c39ff4bcc40afc1e2f76d69dd7
SHA512 6bcf21de9bac68e5b27fc2ec6692e94327aab05e260251eb5c8fe6d9ac382b3b3fa468289f03ddd82c99463cf7f65eefac63a1c8dc4128f5042f7b286eed5598

C:\Users\Admin\AppData\Local\Temp\RES886A.tmp

MD5 e61e8f3a8f8011df5b572a0dfe09e7cb
SHA1 ed9b05984786ef8083594f929f6b82c8eb2e3559
SHA256 02becf6345c0f7b41c9f01cf1076d33361301ac17f8d83ea50fa02e8f53597de
SHA512 fd9794671a9c0bafa50d7a541a6705a790c14196543e9245fe18b7329a0151194d47131d0c0ccbdba26f87af7276453b8b66208106f851f335f3f179b588ec38

memory/216-18-0x0000000074BB0000-0x0000000075161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8676.tmp.exe

MD5 799cfe32b28fe49c1ea2361b2bbb429f
SHA1 af92f4a3ba19d4bbbcbff6981e755f90f56d29dc
SHA256 d98ad682fd28aca1ebe2dbe56f80dd4be624095aefa0429b15af986cfce73abc
SHA512 4abcf2b6a8a400ac227a20fec60d82ab073e8c3814c732b39c3fee38c97b2f105a81c00da33bac39decbf82a857457ee48c62bc13f1f513dc3e86eeccb372660

memory/4084-23-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/2452-22-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/2452-24-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/2452-25-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/2452-26-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/2452-27-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/2452-28-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/2452-29-0x0000000074BB0000-0x0000000075161000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 01:58

Reported

2024-11-04 02:00

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2068 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2068 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2068 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2832 wrote to memory of 2904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2832 wrote to memory of 2904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2832 wrote to memory of 2904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2832 wrote to memory of 2904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe
PID 2068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe
PID 2068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe
PID 2068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe

"C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jaldkrmo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CE.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/2068-0-0x0000000074D11000-0x0000000074D12000-memory.dmp

memory/2068-1-0x0000000074D10000-0x00000000752BB000-memory.dmp

memory/2068-2-0x0000000074D10000-0x00000000752BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jaldkrmo.cmdline

MD5 3c3c99b197e5c5a210413b18a00e47f2
SHA1 760b575c2086f602f7104e4104c8dc277e3bb47e
SHA256 2292a0c6378b74d3a59847d485f862f67084f5548b0e0c12544dbdbdbc08365d
SHA512 de1195fc5ce12ff0140f2bffae79cc9b923b43f88e4f31e01fdcf983a9d4bf24260e4969a8c0bfe3d15fed89d96f5b5c77ecc0220d38a9d9407eddeee37c9bed

memory/2832-8-0x0000000074D10000-0x00000000752BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jaldkrmo.0.vb

MD5 65be1c9ec8946f955bf726f82ab538af
SHA1 db5ecf08093186e4cfa0c62233c222a230ecef07
SHA256 61c4a9eed48b37c74b371149f53ef71a3d0233264c078128150b16ae837e2697
SHA512 53f80f0e69f10f2c24231d295d036a829edd019a7a3652266b8d60f0ccce26b210ae23459c0184a6df199bbec191f378a86b711e6f48eddd4c336e3c16861860

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 484967ab9def8ff17dd55476ca137721
SHA1 a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA256 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA512 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

C:\Users\Admin\AppData\Local\Temp\vbc2CE.tmp

MD5 75406e6f33f9a1f3a00b4e51b2df31ef
SHA1 847fc8a6f51d0a5bce417fb7b413541bf0cbc2a7
SHA256 f892fb45345eab8488e516638a0e252ef4b0013a6ed07db9fb217fd80d5e8898
SHA512 2f491227c8f4e767344a517ee163474e01d8bfefe3338b4ef1d217e6ccd663515ac2ee5dd91c0607d6592a12b26242bf9d97e5dc420ff9f326ee975970accead

C:\Users\Admin\AppData\Local\Temp\RES2DF.tmp

MD5 4ffae47b9e6ee1cbc5bc447d86ed9199
SHA1 347bf66e4c03da89ef986cccb8eb5aa45ea1ff1a
SHA256 c09f0085dec225e551167b4a3787b50d59e13200f76cb841dbb1599e0be607a2
SHA512 503504d6f4a5c63f9d3f59d1b507fceae1221087a76293e33f79689572b4635dffd107dcbeae051f361c2f24d27ba57b58622963f6e56021de5d6c4eb47bf27a

memory/2832-18-0x0000000074D10000-0x00000000752BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe

MD5 90adcadfc936a12a5426f857f0cc6032
SHA1 a2fcde208c0dd519101bf611dd75f2c3da2026f6
SHA256 a8eb1d1cbc324b6a71678d399adefbdb441226c6b5f9650bb80eb482f4e6df88
SHA512 9d528aed2ce1a02c3b85bd436bde010e6158035c2e7d16f5d844be137084d4443f5c273547bb433e2452314c101abc14c21145884aeec6660e6ca021db24f977

memory/2068-24-0x0000000074D10000-0x00000000752BB000-memory.dmp