Malware Analysis Report

2024-11-16 13:12

Sample ID 241104-cfmtnszkdv
Target a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N
SHA256 a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610
Tags
metamorpherrat discovery rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610

Threat Level: Known bad

The file a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 02:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 02:01

Reported

2024-11-04 02:04

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9FE7.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9FE7.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3056 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3056 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3056 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2524 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2524 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2524 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2524 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3056 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Users\Admin\AppData\Local\Temp\tmp9FE7.tmp.exe
PID 3056 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Users\Admin\AppData\Local\Temp\tmp9FE7.tmp.exe
PID 3056 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Users\Admin\AppData\Local\Temp\tmp9FE7.tmp.exe
PID 3056 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Users\Admin\AppData\Local\Temp\tmp9FE7.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe

"C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\obo5o980.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1CB.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp9FE7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9FE7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/3056-0-0x0000000074861000-0x0000000074862000-memory.dmp

memory/3056-1-0x0000000074860000-0x0000000074E0B000-memory.dmp

memory/3056-2-0x0000000074860000-0x0000000074E0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\obo5o980.cmdline

MD5 ac306b8e0483096ed9a543adf45f20e4
SHA1 4e39fb8023b26b9f773822cdc37f3c8fc5d9954c
SHA256 71b3937c756ddedf78b1f7bcc5d08ae01295a8109ed7744548aef79d95defe3f
SHA512 f6bc9deb1c93781bc6084193ddb10f9fc789f506ed939808ed0c6a2191dc56b6c7a0d64edf6b02cdf80edbfc5fb0f1cf0af52204c1460b92e732a45f29eb7cdd

memory/2524-8-0x0000000074860000-0x0000000074E0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\obo5o980.0.vb

MD5 e1356463768111aa84f214e5567f9f4d
SHA1 9b46a19c98a668ce1f0f6533412525ffa55468f4
SHA256 ddec2eb164041fd8ab24a9a4ae2449e87dfd0cf4b30a4454046f19f15affe0c6
SHA512 2542f16e20a8710649956ce50f792f96a32a5909eda6b217afa6a3c7a0a0936778956b2c9bd29573515fea36c0b703674a0b012cf3d3e104aadba1fe03c0b587

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 484967ab9def8ff17dd55476ca137721
SHA1 a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA256 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA512 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

C:\Users\Admin\AppData\Local\Temp\vbcA1CB.tmp

MD5 e099e288a2656e9de9630dd4a1ee03e5
SHA1 c15b5d7975c4213771a76e980f31b421b93fcd69
SHA256 37c8190edfdac646250af0a7b226099c8a61320d79a0f83decc6277d519fdcf6
SHA512 4e9556ba0753462df4f53ae25b6acbe04a88456b96de5f12bdcdf4f146c41c6be2ca39f4a98ee7cad168ac9597a5608424e859b480283a0e0a187cc6f1618948

C:\Users\Admin\AppData\Local\Temp\RESA1CC.tmp

MD5 0d39f62f40666dee2ca2f5f3f6f7f488
SHA1 099c08e3524d09335b1f43774ea872bd1438db02
SHA256 a4b955ab87d1218ce2597d0acf31d9efac4b995486fe143714d2887a24bccdf2
SHA512 a8f6310c1f168301cbab977593127709a665a9bf24249ecb985e15e8b8c63e4034e3709cacce8824057b12893297756a39690c8add4dfd1287b2c05e2770f233

memory/2524-18-0x0000000074860000-0x0000000074E0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9FE7.tmp.exe

MD5 f0b89f060777f3d334d4ce1cce817d6e
SHA1 20d8e3891bc94fcf109a2109e707c09b9bc9cf25
SHA256 e73609ec5dc6696785e3d3f7a4295b5777c9f48110c1e8c63898f6cfda6498fc
SHA512 f16940869efa6a2dca10b22425884620b2bbf8f0a733cdea23a231c9183d30c6b4eeafe29194f327a5af772924dffa22faab3f6e18f2e0d823b0a5ea0be776a1

memory/3056-24-0x0000000074860000-0x0000000074E0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 02:01

Reported

2024-11-04 02:04

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9673.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9673.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9673.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3948 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3948 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1388 wrote to memory of 684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1388 wrote to memory of 684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1388 wrote to memory of 684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3948 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Users\Admin\AppData\Local\Temp\tmp9673.tmp.exe
PID 3948 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Users\Admin\AppData\Local\Temp\tmp9673.tmp.exe
PID 3948 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe C:\Users\Admin\AppData\Local\Temp\tmp9673.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe

"C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tvoafhxh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9971.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA871294945D42F09243BB83F34CB41.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp9673.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9673.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/3948-0-0x0000000074A72000-0x0000000074A73000-memory.dmp

memory/3948-1-0x0000000074A70000-0x0000000075021000-memory.dmp

memory/3948-2-0x0000000074A70000-0x0000000075021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tvoafhxh.cmdline

MD5 ba846d150ae8cca2bf3b195a3b5ffb67
SHA1 61cff4ec966423e9b5eac003a58fc85df1c4f7e5
SHA256 5a9d63c947c2845ac43e1ada1373c059f3ae4a1e82d68b861b682d4b86644d9f
SHA512 ed931fb5ffb8e043b94079b81034e4741bbe0017b22b0e331e8a309724e58b57da5ffd14fae880552776c0ed698bcae5ab3a7fd7af241975d9afdb10d3009888

memory/1388-9-0x0000000074A70000-0x0000000075021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tvoafhxh.0.vb

MD5 a9d508d47fc1c635714583b8970acaac
SHA1 eb725106ef27b9552aa5bbc3f3dbc662ff8ce739
SHA256 fa5d6bd9d81f7a0de2ea010f8529a3aeb9ff8ec19b7fdad414837f66defd79df
SHA512 d3183b04735624b8f7150a5135f63a0047bdbc2102812941409149306e9366a847cfe98b30be556c13c950654e61ba75009462332220e60fe7b214106561f8dc

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 484967ab9def8ff17dd55476ca137721
SHA1 a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA256 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA512 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

C:\Users\Admin\AppData\Local\Temp\vbcFA871294945D42F09243BB83F34CB41.TMP

MD5 b5d5c857925109f37981d21bf66ab2c6
SHA1 39c759750d0ed72e1a200a4a21146ea5d20f56e8
SHA256 efc31147b10f26f2ebab39b478ae6b8a2a836e7ebdec38998e316efb6b16ac68
SHA512 a8484ed80ece00ff8ffb8aa9e76d314e2ca0ddc7d6399c9bd0540a05a821ced0441316a2f8cd2e06074ea790b5f989b23823c9aff977428db9196d00cf934724

C:\Users\Admin\AppData\Local\Temp\RES9971.tmp

MD5 7fc5e9c152680051be42bd385b7db7c2
SHA1 5ba0f5aee8f85faac15901f2b033c628f546330b
SHA256 8ee8ae13edcdef0c831b251c618a8187ce010951fd80a7f14f0e8bf9e2c20b50
SHA512 20d617db0f853b46dd6be14234d4435ff63861f91bd3316f9ac1d7b3ca0109a470bbe0a4ddcc9b3551b521cdd2c6c026b3c61b3769ee4004994c2920ecf38263

memory/1388-18-0x0000000074A70000-0x0000000075021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9673.tmp.exe

MD5 0a8e9c04e85feb903410ef04ddf827e4
SHA1 e51b7211eb6c3a8add9a3a1921d9bfd8ceb6d411
SHA256 62d3ca83336ff51c16f3eab110638b0cfe9b3f163ff644a6c2340342cd72b877
SHA512 bd8f1413cf368758677bd7c18450423bdca41ac001c9b9af640856000118a76cd47454574957e5b6dc8e73fef664e1a4a92caa2128802d9e6a6424082d724083

memory/3948-22-0x0000000074A70000-0x0000000075021000-memory.dmp

memory/880-23-0x0000000074A70000-0x0000000075021000-memory.dmp

memory/880-24-0x0000000074A70000-0x0000000075021000-memory.dmp

memory/880-25-0x0000000074A70000-0x0000000075021000-memory.dmp

memory/880-26-0x0000000074A70000-0x0000000075021000-memory.dmp

memory/880-27-0x0000000074A70000-0x0000000075021000-memory.dmp

memory/880-28-0x0000000074A70000-0x0000000075021000-memory.dmp