Malware Analysis Report

2024-11-16 13:12

Sample ID 241105-tz1y3svfnn
Target 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N
SHA256 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78
Tags
discovery persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78

Threat Level: Known bad

The file 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N was found to be: Known bad.

Malicious Activity Summary

discovery persistence metamorpherrat rat stealer trojan

Metamorpherrat family

MetamorpherRAT

Checks computer location settings

Uses the VBS compiler for execution

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 16:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 16:30

Reported

2024-11-05 16:32

Platform

win7-20241010-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2592 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2592 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2592 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2592 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2236 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2236 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2236 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2236 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2592 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe
PID 2592 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe
PID 2592 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe
PID 2592 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe

"C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h-zcduz1.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3CA.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe" C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/2592-0-0x0000000074611000-0x0000000074612000-memory.dmp

memory/2592-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/2592-2-0x0000000074610000-0x0000000074BBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h-zcduz1.cmdline

MD5 dc2131c6d37380fc7f85a889c600e934
SHA1 66a212bd740c5dfc8b723c35aaba75f0da0ec3ae
SHA256 b2a99e26e10fbfdb54027828e073e4cc240a0a71075ff1128e9f076a5ce0b19d
SHA512 3c10f8edd720dd71a032756c32685ad375394742ac6607aaddf4adfedd785df421519e0082efcbd775cad372d2f730f98ebc585e4f840c0ad0ca4f6247fb0a7b

memory/2236-8-0x0000000074610000-0x0000000074BBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h-zcduz1.0.vb

MD5 b52caa88377c43f99aa5dc03421017d8
SHA1 36f1df4497a59005f891a0e1df1a13f1ed80f4b9
SHA256 4e21eb92d0c2b10dc1221f259e5e8eafc622f1381c167acbb4dd6b7c3fbdc8b4
SHA512 d6ccb9a63fd7c55593ceeb198b680a7f813465a0ebb18c51666229d551b708d2d64975f4faeb1299fc82334e9a17da579ec992b8677ae2607e60d46d70b8079d

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcE3CA.tmp

MD5 a9bf8a338e44936152cdbe18d49a8460
SHA1 5af5a9684a59910976424e32a3c1d4b89021e6bd
SHA256 66147ee47b1c0ed25f548af4133fc372a849f2c91cf8404e6522ed957be96d50
SHA512 731947c4b4af2055f1c46a701e0632b5a4fbfc2aae70211f045f1d62fd4272f492c74428ac37aff0834e18c1664d99b05283c82b1b25f4723944e6c0d07e0958

C:\Users\Admin\AppData\Local\Temp\RESE3CB.tmp

MD5 27f87a2997031f2648f213b06c90e069
SHA1 bf1f763b8d4e9c112afaff1067786b2514cfec2a
SHA256 949aa95173884369733eaf092fb394104d2294b2ecd01bb0d8c7c218b0c52c29
SHA512 db95ea245664de3fe72663369c8d71090986a5f1d83648f7b69c8075a3eeebb375b7b19b37974db1bf836594d8311a0d8a835aed5132c2125fb448a1d7a4f91b

memory/2236-18-0x0000000074610000-0x0000000074BBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe

MD5 c84c1032b75b7f8d96ba99834ba0340f
SHA1 4c66ce7ba7cc80f0261dfa1ecf18c3b73a5c097f
SHA256 303b733ba5fb639dc23f8d70d64840b9728091999a9088e173c2e7d9d54f92c3
SHA512 c38d9a71aeb2d5d361338f613c36aa8d3a9c5f33d8345d1da04cb1168a19d28d6092b770ab0e3a40d218efb02aeb9a803b44b177d792229c0191f2e4895fd3db

memory/2592-24-0x0000000074610000-0x0000000074BBB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 16:30

Reported

2024-11-05 16:32

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4212 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4212 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4212 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4252 wrote to memory of 212 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4252 wrote to memory of 212 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4252 wrote to memory of 212 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4212 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe
PID 4212 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe
PID 4212 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe

"C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wuiqwj99.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB856D972988A4663B2C2D461901BE83.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe" C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp

Files

memory/4212-0-0x0000000075422000-0x0000000075423000-memory.dmp

memory/4212-1-0x0000000075420000-0x00000000759D1000-memory.dmp

memory/4212-2-0x0000000075420000-0x00000000759D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wuiqwj99.cmdline

MD5 b305d1708d66639051f2704c97c3f478
SHA1 5c80804dd4f53fdb2973defc66b0113d498ef262
SHA256 db50c7ec77c01d341ffa342cdab5cf56641d301e4c783bed404d6ab85f9144fd
SHA512 ff43cb09e3f3f361474d4d96d2062b5222f17e1d0e9ea7345b09b9be14236fa72fc23c3731eb0669c321155ef652b0a03592b2ef2002e35c8a42874a0a93ef46

memory/4252-8-0x0000000075420000-0x00000000759D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wuiqwj99.0.vb

MD5 1a9a1dc13ec78d32e6354d8202e47bcb
SHA1 09c7cc0b3c3ea2abebc12ca956d7db5d1baa56e7
SHA256 8342625acaa54212d902784f7b8ed0f444417553782a9133b419746cb90a38ce
SHA512 f1525479c674087d4e402a38ec7a3fd2c3f64ca90162c0fda610ec90a55df7cf6c77f3521720f7ff20d234bbf72f3b277117eb31c663e68408a179bc9b1ab0a5

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcB856D972988A4663B2C2D461901BE83.TMP

MD5 a2bd0bec68b080ec02724df82d6a3c4f
SHA1 e67755c69f7f44c2e03c22d0751fdc30c8c111c8
SHA256 e41d8eef06fa954eda5b1c8f1b3ca0b5001ceef2d50865dd5902715dfea1f146
SHA512 a631708fc3ff9adbd0cf8ecb88154d13d612cdcd29f171010a6735b3ab90baa1f3929a0ea009fc7346aa988d41bf7273639eb51a3f3bc0342346246f27519c4a

C:\Users\Admin\AppData\Local\Temp\RESB3DF.tmp

MD5 578a841d41a2e63e6ac7ce63bb30d055
SHA1 a38a6e5d05d1ff20ffd8314e361c16d499288261
SHA256 c4faa0c14076530aa3b93f8c4a62c9d869c848da33fbcfbc4e682a23c8ec3230
SHA512 39b601fde025d9d40fa1754ae280a734824c72ef5819d7271db2e89920dd6b32c14d43d6b2bc9a55f964fe7631bc45676e9304ef4df749151da364c81a8f7570

memory/4252-18-0x0000000075420000-0x00000000759D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe

MD5 398ed26b419df131463cec052758452e
SHA1 f4e0e4c273799e61e0a88fc5a620d96c9cd0cb71
SHA256 374f18fa824b343892db689d9d8941cc53b5030d542b72a7ea28563fb1120afa
SHA512 2d3b274c32e7f8c5803945d9877e4c0b78f9f80348afe5d36fc020ad64239868462a8e3bb6feaf9e88a3855dcdea0c5290929b32061d67e2c8ed3a04cd1c118f

memory/4212-23-0x0000000075420000-0x00000000759D1000-memory.dmp

memory/4056-22-0x0000000075420000-0x00000000759D1000-memory.dmp

memory/4056-24-0x0000000075420000-0x00000000759D1000-memory.dmp

memory/4056-25-0x0000000075420000-0x00000000759D1000-memory.dmp

memory/4056-26-0x0000000075420000-0x00000000759D1000-memory.dmp