Malware Analysis Report

2024-11-16 13:11

Sample ID 241104-mf433axqhx
Target e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN
SHA256 e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76e
Tags
discovery metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76e

Threat Level: Known bad

The file e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN was found to be: Known bad.

Malicious Activity Summary

discovery metamorpherrat rat stealer trojan

Metamorpherrat family

MetamorpherRAT

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 10:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 10:25

Reported

2024-11-04 10:27

Platform

win7-20240903-en

Max time kernel

119s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1444 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1444 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1444 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2424 wrote to memory of 2844 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2424 wrote to memory of 2844 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2424 wrote to memory of 2844 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2424 wrote to memory of 2844 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1444 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe
PID 1444 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe
PID 1444 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe
PID 1444 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe

"C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gnnh6lmf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES723.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc722.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/1444-0-0x00000000744A1000-0x00000000744A2000-memory.dmp

memory/1444-1-0x00000000744A0000-0x0000000074A4B000-memory.dmp

memory/1444-2-0x00000000744A0000-0x0000000074A4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gnnh6lmf.cmdline

MD5 5a742bb856abe23807ed053e5a3833a8
SHA1 5c95af0c9a5605f8d89278a9ed628bd267699b1d
SHA256 faf180afa99fbc281645fab9a3925a8358ecf93fdfe5c2feff93d20446f68149
SHA512 946d42b03837db9a4c79d813de0388d6d949beaae675a4e13388ea81f32c217875042952c681f5ea34071f9efa0dcd3dcddde9a126f0da0636a71a94ada9346b

memory/2424-8-0x00000000744A0000-0x0000000074A4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gnnh6lmf.0.vb

MD5 d6bfe8b204cfb96a7c8bb7b0d0c386c8
SHA1 7d6ca8d9fd3706b24f138d7cadd895cf48af9f2c
SHA256 46658309c82b5a46955bc682be53ed737cfed636067578ae82651ae70825ae99
SHA512 4b0bd109ba6c15a3be5e596a193a7e2307ecf0927239ac8bf65a0827128e6bfe6a8dc707b75ed1679b332db7934a18f534aabe7140f0e84ffe1486d7f423c999

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 484967ab9def8ff17dd55476ca137721
SHA1 a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA256 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA512 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

C:\Users\Admin\AppData\Local\Temp\vbc722.tmp

MD5 e7a91f98d4e6da0a16a4b9261e29cb91
SHA1 3337d3035764d0c0672db988ea9e84fd15aee403
SHA256 218ff786e6fb112e560af6761feeecece7b3bc90a4dca250e3efacb6476c9f0b
SHA512 bf7bbd1ba02111ba332597d5be1fc5012ed85fa8b17c8af71378b826b918172e76b4c280617a4188eb01eef77b0489878d09493ca932a5a8d2a2632151819de9

C:\Users\Admin\AppData\Local\Temp\RES723.tmp

MD5 3558379d87315d88f0485d50be71b5bf
SHA1 84f1d4817f0d6927d641a918785b776774dc96fc
SHA256 1a972671a341361d609d8edf92e9252f3793f59957b0d231edb73b24c3e9dada
SHA512 9a0ee0f8275977c6b47e1a7c7b7d9e1bb73120945316d2ea8aed256b775bac105704f276ce78cdb1ec2ba9bd4d9920f28dd5a95bedf9f6c397e419258904fe4a

memory/2424-18-0x00000000744A0000-0x0000000074A4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe

MD5 f478fb806dd14027b89b0295e786cfcf
SHA1 e6745b5a1da3ad1a5181e851027110fc03c3b462
SHA256 ffd25055716ef86292d76d73255430f9702d4b5dfa84cf0a47910e590ec2881c
SHA512 eba7cad231233dee198aad1d648e865567ec2659ef7b4aeb2b61575dd297fd8119534f0bb62038760b2d979ff0754fde3833e0711ae2f2d796a011becd8eb2f4

memory/1444-23-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 10:25

Reported

2024-11-04 10:27

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5104 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5104 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5104 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4820 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4820 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4820 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5104 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp.exe
PID 5104 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp.exe
PID 5104 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe

"C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\burfxizi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87893EB864074E6BAF7050246693C93.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/5104-0-0x00000000751A2000-0x00000000751A3000-memory.dmp

memory/5104-1-0x00000000751A0000-0x0000000075751000-memory.dmp

memory/5104-2-0x00000000751A0000-0x0000000075751000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\burfxizi.cmdline

MD5 c7c73e27c86b6ae4e0db602be42a1b6e
SHA1 325d5615bd93d23ff918d59a60f21aa87046241f
SHA256 9d78e66d25ddf9ef44ed39cf7768d57e75dc5b0e8ddd7808ba39d90041cd9ba2
SHA512 6efd03e793cab8dbaf2b2f1a194dab6249d34f33fa56e76868c08c6733a15579cb85929c4ac7ed80f3cc5c017dd874ab27e1768253045990916ff5c4263766aa

C:\Users\Admin\AppData\Local\Temp\burfxizi.0.vb

MD5 d4889c054580b3ed4365bac607ed908a
SHA1 1ad049a3c6c3816f1c28bca3942cd4bc050ca763
SHA256 2fa0a7f04d46f5cc1c0705c77bf6cddcc5da6a1b3c96af2177eabaac02be037b
SHA512 65962ac13bbae70cb62a4ee8d8a6da64705688c371ed785f93854daa6dfcbbb805e0dd2bc5d6a53afe8c89cb905cbf8b44e101518657d4be14cfbfb253e4d723

memory/4820-9-0x00000000751A0000-0x0000000075751000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 484967ab9def8ff17dd55476ca137721
SHA1 a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA256 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA512 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

C:\Users\Admin\AppData\Local\Temp\vbc87893EB864074E6BAF7050246693C93.TMP

MD5 8b5080a4afb35de8552c1048b533d4ba
SHA1 b24a3384ce8eca3dcac65403b23b9470823251cf
SHA256 d39a48c8d085754fccde3447bf8ed88c7bdc719134f084fb2807b1699197a8e5
SHA512 80f9ce2f8daf23be4d961981ed0a36f0666c16b33ec0132b0579058ae1e5e7b48229eb8fc8a976fd60fe29f99bebb46661798befa8a83465e4bc16432fdd45f1

C:\Users\Admin\AppData\Local\Temp\RESB5A4.tmp

MD5 e36ee3406a7750cb6d00110d0d7d5dac
SHA1 50cf302f7508e7a0e400298e9e4514d84686d0f9
SHA256 1c3acd3b8d9dab56b33ba2ae134604cbffe3de21e1f8714bbbafe38c8576035f
SHA512 14c2021bac698e0e7d7af7478844535dd1e6acf89533b83882d19e6df07aaf63cf038a78f9791ed18149228a6cc52c31d70ea64955f4381446e4f9da6a82f796

memory/4820-18-0x00000000751A0000-0x0000000075751000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB391.tmp.exe

MD5 643b8a257022f79c617e02d7971f0564
SHA1 dde97c89f7b99cf8d67a4ede5dd8ae96285ba2c8
SHA256 4ccdd674d15ab84d20c6ae7ca047640defda714e239cbd7c0ea3a3c7e9c9ed71
SHA512 f70c9a6987db75298b9707025adddce41a2a5e81520ee1f6602831d863644803b531418793a973cc215768386305a46b50799a43f249ab268004459885741549

memory/5104-22-0x00000000751A0000-0x0000000075751000-memory.dmp

memory/5072-23-0x00000000751A0000-0x0000000075751000-memory.dmp

memory/5072-24-0x00000000751A0000-0x0000000075751000-memory.dmp

memory/5072-25-0x00000000751A0000-0x0000000075751000-memory.dmp

memory/5072-26-0x00000000751A0000-0x0000000075751000-memory.dmp

memory/5072-27-0x00000000751A0000-0x0000000075751000-memory.dmp