Malware Analysis Report

2024-11-16 13:11

Sample ID 241108-d65b3sxlbj
Target bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c
SHA256 bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c
Tags
metamorpherrat discovery rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c

Threat Level: Known bad

The file bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery rat stealer trojan

Metamorpherrat family

MetamorpherRAT

Deletes itself

Executes dropped EXE

Uses the VBS compiler for execution

Loads dropped DLL

Checks computer location settings

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 03:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 03:38

Reported

2024-11-08 03:40

Platform

win7-20240729-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2500 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2500 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2500 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2152 wrote to memory of 2816 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2152 wrote to memory of 2816 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2152 wrote to memory of 2816 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2152 wrote to memory of 2816 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2500 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe
PID 2500 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe
PID 2500 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe
PID 2500 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe

"C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\72mwkkkl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C58.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C57.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/2500-0-0x0000000074B41000-0x0000000074B42000-memory.dmp

memory/2500-1-0x0000000074B40000-0x00000000750EB000-memory.dmp

memory/2500-2-0x0000000074B40000-0x00000000750EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\72mwkkkl.cmdline

MD5 9ed26216a1c52f28b98f358bd52b16c9
SHA1 09e014ca48e4426a1cb71aa901f81fabdbe16544
SHA256 308901ab14592053b21d3d84bb1b6626ddb0bce3d4996aa049848b28457dc9f9
SHA512 ef3cdffaa68b3e4c642c01d588f5bf24300e4d7219839e42fbad6e0fc4a664551e3a5992af9f1770fed9b032c1764ded18501523c96c229374aaf77f57fb6d1b

memory/2152-8-0x0000000074B40000-0x00000000750EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\72mwkkkl.0.vb

MD5 0d87efd3bf789ea1388afd8c657dda7c
SHA1 c70dde37862fa6d9a0948220d9c4aa5992f592cc
SHA256 92d4e1b3f6a4ac4f7c89790acbda3d14a98f890b35a18aa3b4737cf3bdba3293
SHA512 be99f1537a9eedfc68db76049760de638d5513df95e918a2f753d90bf601bcc37d5c5910907c3b2eaaf7e84444a7b4942709d83134abac9e1939e8b203110169

C:\Users\Admin\AppData\Local\Temp\vbc1C57.tmp

MD5 082d67428a6a60aa2dc512e96ae12064
SHA1 031e0db6ce22846bb85bef249d9e230e4b91255d
SHA256 2b9462d97501b9e80543a6cc33673dd09f20a722eae7376875b71c3481de6b71
SHA512 3733acfb8c4bde9cfeca397d2b3404300886885f4882f6809351f364312e094b2b76343525d373a16d3b71bffc32b4961bbd11161f3be93548fbe3acbbdfc7b4

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 484967ab9def8ff17dd55476ca137721
SHA1 a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA256 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA512 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

C:\Users\Admin\AppData\Local\Temp\RES1C58.tmp

MD5 3d18c4bf297e3c21417bc5349bf4ea52
SHA1 3197aa74bad9a7f222a3d212a3893bbe41425123
SHA256 2d43fbf6384a2d76d29abd7b5dfaf471110a559b86c8b716fb44d3ed74ba8740
SHA512 29e9fbffa5329ee7b40a6f8ef95d7c653a74ff6da7d5066028500dc8e497382d841b3020cf909cd6e49b8ed25f3d35acd8805a68c46e9f208802416fd5d32fd6

memory/2152-18-0x0000000074B40000-0x00000000750EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.exe

MD5 e0811f39f65b0012f3f5ce845cd22663
SHA1 4f0a24b5a91b65f678110769358971b00f8ad731
SHA256 82fb922fc3b46ef868068ae49d9221b6a0f79dc99dec6ef37239a2a54eca1f2a
SHA512 91b0e9524d04e132e50bc10a26d8f67a1bc57010332b095e90c10ea463a0a33c50f4834e48059e502cf595d2fe3d55fe098a610ce6720ac8aba4df5f28f7cd1d

memory/2500-24-0x0000000074B40000-0x00000000750EB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 03:38

Reported

2024-11-08 03:40

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp880C.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp880C.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp880C.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 316 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 316 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 316 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3348 wrote to memory of 1824 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3348 wrote to memory of 1824 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3348 wrote to memory of 1824 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 316 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe C:\Users\Admin\AppData\Local\Temp\tmp880C.tmp.exe
PID 316 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe C:\Users\Admin\AppData\Local\Temp\tmp880C.tmp.exe
PID 316 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe C:\Users\Admin\AppData\Local\Temp\tmp880C.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe

"C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zhxtg5ue.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8993.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B52B48F1B4E4D188A304A5391916826.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp880C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp880C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bee7752564edc02154aaffd93b63a4c571c6b9d3b5ab79424d185d839d01561c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/316-0-0x0000000075182000-0x0000000075183000-memory.dmp

memory/316-1-0x0000000075180000-0x0000000075731000-memory.dmp

memory/316-2-0x0000000075180000-0x0000000075731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zhxtg5ue.cmdline

MD5 abf973e5e526f409945b0fb9c1b6f324
SHA1 e05cd7bc019e5d72621f8d46ade61994b1683863
SHA256 db67e04fa47117aa6794f7ed82eccd7962700dd664aebc7ca8788df8da8fd7c1
SHA512 5b96ea7b2730ac262add0dd941d04b2432808e5ca890375ad2b68642a1a1153b58ba8e6a84b9e19749e16791d0231521697b83542860b05ac75c2458ba83de73

C:\Users\Admin\AppData\Local\Temp\zhxtg5ue.0.vb

MD5 e2b5238cdcb9e68ca8cf321e1dd3908a
SHA1 cbed5742648821f7eb9b0e19ccce525bd499cd42
SHA256 501cd165e01d6091f44d2bc3b92302f4ab8b3c34e44b84351f86b267d484e203
SHA512 5b7274232cea5c04753c248668f46f7111e311643600705aa304c2617c17d38dff241c35d4164478ee1bec58ea782c976f23a353b30bb339d0c08f497049cd42

memory/3348-9-0x0000000075180000-0x0000000075731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 484967ab9def8ff17dd55476ca137721
SHA1 a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA256 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA512 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

C:\Users\Admin\AppData\Local\Temp\vbc5B52B48F1B4E4D188A304A5391916826.TMP

MD5 ea7176beed2fc1d6baf8bf502c8cd35e
SHA1 3ea8d18fcf41838b5612a3e5e60e37dceddd626d
SHA256 19daa65b2aea2a55d8b8e086b985b452cee1bebb84d234f5fbc6ab6faecec978
SHA512 6d7b339648ad1177ede16df40bea1b346f61f0874202590ef79c5028d2d7d736d6be93484cf6943e167bdaca75951241d1560b3e31a0a4c2b6acc43a30190472

C:\Users\Admin\AppData\Local\Temp\RES8993.tmp

MD5 fbc8a143bc1306b87ce8feabe6b610db
SHA1 5a01450709228e6c0049b240fb421c7c1fa163ba
SHA256 834ec5bdd3f017812b8284058b7adc13341971307df2fa38023ff0e5874b2c1d
SHA512 43e6ea6f7d093de0380e670ddbb016cb6f69d5d4489bb6988ab585aecddaf8cf7d940e406aea28026b5bfeab519dc0a4219253ed755535a83cddcc30b16a1cef

memory/3348-18-0x0000000075180000-0x0000000075731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp880C.tmp.exe

MD5 3b932380a022371e3dd167b6e09fdadc
SHA1 d3fc1161f62ca83b1ee838f8bc9ef269c1640df3
SHA256 a95f55fa32de128bec80357fe9542b5ea9c2b680665e7c393a9c64123cd582c6
SHA512 b427e98b0159a4d22779e4ee9dfae9c38424d424e5891032331a52c2686d462c925971025cb4b1c778c4b28eba1d09020a7e0a056605e18084e62cfceb256e8d

memory/316-22-0x0000000075180000-0x0000000075731000-memory.dmp

memory/1780-23-0x0000000075180000-0x0000000075731000-memory.dmp

memory/1780-24-0x0000000075180000-0x0000000075731000-memory.dmp

memory/1780-25-0x0000000075180000-0x0000000075731000-memory.dmp

memory/1780-26-0x0000000075180000-0x0000000075731000-memory.dmp

memory/1780-27-0x0000000075180000-0x0000000075731000-memory.dmp

memory/1780-28-0x0000000075180000-0x0000000075731000-memory.dmp

memory/1780-29-0x0000000075180000-0x0000000075731000-memory.dmp