Malware Analysis Report

2024-11-16 13:11

Sample ID 241104-safq6s1frg
Target dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N
SHA256 dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5

Threat Level: Known bad

The file dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 14:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 14:55

Reported

2024-11-04 14:57

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1836 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1836 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1836 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2416 wrote to memory of 2504 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2416 wrote to memory of 2504 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2416 wrote to memory of 2504 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2416 wrote to memory of 2504 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1836 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe
PID 1836 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe
PID 1836 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe
PID 1836 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe

"C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n1yil_ir.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC65C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC65B.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1836-0-0x0000000074241000-0x0000000074242000-memory.dmp

memory/1836-1-0x0000000074240000-0x00000000747EB000-memory.dmp

memory/1836-2-0x0000000074240000-0x00000000747EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\n1yil_ir.cmdline

MD5 918d3c699ca71d414f6d96e1d639b158
SHA1 4c48583ff486735d7765a4d10ef1d680f5c1f28e
SHA256 e771242c38c696e773981e78536f12280a7bf4177609be5ec3f74c43c54f8ea8
SHA512 7503ac09c2f90e7e1f103031c91eddd2202ee43ed31b81fc9ae483627484603e644b22a831489e6cd7e3cc608076ab62d653c58822526e5ea3f889fefe46b4e9

memory/2416-8-0x0000000074240000-0x00000000747EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\n1yil_ir.0.vb

MD5 e05b7fdd37ffc0aecace2e225098ca47
SHA1 d4397b5629d3f10c313341f9b23b6381f8ae6be2
SHA256 d41e79c8c3f9e7457ed2c398d03d9b8d4610ef47a7cfe6351e0a64f539b6d293
SHA512 52cdd855aa2868354e8f7150d50fd006c67295d88191fbc3a2d211fbd8daa493208d1da1590c040ab07c3e30863c61bac6ee7130b2b83196c4392c9c7b191355

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcC65B.tmp

MD5 c501f6928a4c1bd13b2e781a74641ac1
SHA1 55a4219aac852ec43115cd2882d8bf15cf68936b
SHA256 ae8db389a144c975de6fbe39618f08fb443a4bb28c59a3207c9b448f9dec2260
SHA512 7639effced40398df85287bcc6f0d202fa661759de91ea6f8afdd837c0e927d0f4a7fc4eb6087850197ba93b6b46c7c59623d4706db5ff88a69a7546776a1c59

C:\Users\Admin\AppData\Local\Temp\RESC65C.tmp

MD5 22ffe6264ad77a377e85b810bdb2be96
SHA1 68acbff65827bc43a7d57798341cd7321f451cd8
SHA256 f89f9e82d7d0ee3fcf84c48c8ab085da8b58841ede2fdefa9b0ada88f73d8fc0
SHA512 13505c146bc27eae8655dce8406d1a39d6daa76fbf588ed99f5545a1aae896301129f930a29c29e7b405c3bcf2bcaa05b2d7652989c7b0604131aca75b3a7484

memory/2416-18-0x0000000074240000-0x00000000747EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC542.tmp.exe

MD5 11b577655b9c35054a0edb8d7c188051
SHA1 6990d678156fff24e314a55b29e11d2ee508b59b
SHA256 1102901fc056b15c60edd00c87e5bc8214704d7d001ccec7993e44efcf820198
SHA512 09d8d5faa7bad1ff659c6bd3e3b9a8ea40908e106017ff8de958d0353c565b3b4cb33e57e97351a80288962304980321052036bc8d134e6b36b85372bbe5d91d

memory/1836-24-0x0000000074240000-0x00000000747EB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 14:55

Reported

2024-11-04 14:57

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3356 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3356 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4824 wrote to memory of 3572 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4824 wrote to memory of 3572 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4824 wrote to memory of 3572 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3356 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe
PID 3356 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe
PID 3356 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe

"C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wxt7oz4e.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF28E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9DD9AF7E7614E9BB82CE93FF5E0A552.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dce09e588bfcd37343eae7553b0a8958fca7dd3a749ada51600de51eeedd4ff5N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 tcp

Files

memory/3356-0-0x0000000075302000-0x0000000075303000-memory.dmp

memory/3356-1-0x0000000075300000-0x00000000758B1000-memory.dmp

memory/3356-2-0x0000000075300000-0x00000000758B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wxt7oz4e.cmdline

MD5 2c06bbd11e506b6794c1a775fcd86800
SHA1 b6380dbbb3e7a2eee53453810f34f4b1761e30ea
SHA256 4f6ed3469d7c70b328660f48880e75e34b3e7ecd852a1c9f12a40d371e8caf2b
SHA512 43162698c7f5a03f34f0c1a03ed2f3abb80feefb808cad0f648113290f0cea055507dc65a861bc0f259778e10b6e13e3950f7653d9a2c5552640aa9afa8baea4

memory/4824-9-0x0000000075300000-0x00000000758B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wxt7oz4e.0.vb

MD5 09fad7aba36cdc1227ef37b4b69ab583
SHA1 361f94ac7f244b7d590e1ca66cc9dfebc5080d92
SHA256 ab2b1f4191eb76180ab154e2ddd7901e7900cb26a6df55b7fa0a165ec3506be9
SHA512 4dc97109c79cd015f19eeeeef41a76d8ccb570b6412e0314c13d8009acbf71bb3c42566a5eb490414e90e2a06e597d38d810b4753145f3646f4cff91085f02c7

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc9DD9AF7E7614E9BB82CE93FF5E0A552.TMP

MD5 71265b061be93a939ab31db4dc17336c
SHA1 3c59e735b90550f2d7cd6ba061d555f1affbb3cb
SHA256 7609834282fa09eb9af9b4b34ded8d924a23f42af46b282812ae2a43163687cc
SHA512 672398b16ec0f13f94a07ed6b170a9d9126ed561c5964b54c01e405155964a0c33c2f9b105e63576d879855f5bb0f646c23dd47303855fdf34612982bad059ce

C:\Users\Admin\AppData\Local\Temp\RESF28E.tmp

MD5 e369f6c8cae764ae660e30432ccba239
SHA1 029ea92d3570227852cd651eadce9f58c17cb5cb
SHA256 66b9096dfe938455a4e638dda4477731b467e87dcacec4cddd9d4b88acc2ebb6
SHA512 11da37b11acf43acd23699c64b88eeb5f8f3950418fb8911bc1b76419a1c75ad3a71f89d1e0420c0bfae4352d398e20186941d703616a47c96dd7d90a4a3053e

memory/4824-18-0x0000000075300000-0x00000000758B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF117.tmp.exe

MD5 309e16c91f88babea2ed05f4e2282793
SHA1 4619c0a562e0b1065a89b7cb81c3109b27b6fa17
SHA256 ec0155079b26696a43127f944553cfde0ed75f04177c9ac4433389ef6cf6a1b7
SHA512 1b92eacb8a3ccc11334df9915d154255370e8e0bf6f12d88236bfeb2451bea3d07564e083b24e9622dd027437a147f2d0da7dc0183e4b311d07bcd08972cb4bb

memory/3356-22-0x0000000075300000-0x00000000758B1000-memory.dmp

memory/4920-23-0x0000000075300000-0x00000000758B1000-memory.dmp

memory/4920-24-0x0000000075300000-0x00000000758B1000-memory.dmp

memory/4920-25-0x0000000075300000-0x00000000758B1000-memory.dmp

memory/4920-26-0x0000000075300000-0x00000000758B1000-memory.dmp

memory/4920-27-0x0000000075300000-0x00000000758B1000-memory.dmp

memory/4920-28-0x0000000075300000-0x00000000758B1000-memory.dmp