Malware Analysis Report

2024-11-16 13:11

Sample ID 241110-ngmqvayngl
Target 30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N
SHA256 30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446
Tags
metamorpherrat discovery rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446

Threat Level: Known bad

The file 30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Deletes itself

Uses the VBS compiler for execution

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 11:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 11:22

Reported

2024-11-10 11:24

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3108 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3108 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3108 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1828 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1828 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1828 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3108 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe
PID 3108 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe
PID 3108 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe

"C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nq0ndqoh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8107.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc276197E7F3D74F9180716411AA52CA0.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/3108-0-0x0000000074EE2000-0x0000000074EE3000-memory.dmp

memory/3108-1-0x0000000074EE0000-0x0000000075491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nq0ndqoh.cmdline

MD5 af754eb77699f9f6935edb0c37fdc7ec
SHA1 6bd1a920cf6eef2cf68a55d99454449d03acf334
SHA256 d58d10b0bb6aa4846db866317e24ade5504b35fcd1b759a435c5dce16a07f5dd
SHA512 e9f2ae4ff138bec142050af7ca23c31248abe69c8f081cf04d712ca183607ec5a48388257a6248190f558dc2050e3797ecf5cb34baab82ccb1e3f1cf714c493e

C:\Users\Admin\AppData\Local\Temp\nq0ndqoh.0.vb

MD5 6aad8cff11ecc5983a4134e45f66fb4f
SHA1 f049c5ad319927233fcf90fe76f35365cc83d22c
SHA256 7eea27ea30e597512f069b4f82b11c9eaecd4090a81af00397a18e562dd916c0
SHA512 4372061c89420d968269635d61f3e9cc8f48e5e9cec75a113afc170f66c51a9cb379ad3fc691493e3cc38a2a8d77a3963069fb7e8cd783b653b626f347089ad5

memory/1828-8-0x0000000074EE0000-0x0000000075491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 484967ab9def8ff17dd55476ca137721
SHA1 a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA256 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA512 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

C:\Users\Admin\AppData\Local\Temp\vbc276197E7F3D74F9180716411AA52CA0.TMP

MD5 a5ada5f00d91d3ff1c6b2937f036908f
SHA1 54c3b9e339a35f7b3fb72c5290546576453a77d1
SHA256 8a42261fa32f829411ab4d1a1112526cc6d0c154a40263b868ea56b468964aec
SHA512 12763f48c941a220e278ae55316f5c9ed000365bb2697953f68e5087a78aa13b036956a85327188a8aca54bb433f4cac3250674b0e4531288932865345e44a71

C:\Users\Admin\AppData\Local\Temp\RES8107.tmp

MD5 a4c58014f85db94a3f450b21e58b33c1
SHA1 c690e03f064c2559aff6971f06d5e3e279bd5100
SHA256 af6832a50eed3954c9fcb5e853f71ea6288f0173953babcc5e9cd0aabe0bfaed
SHA512 50bfaee0fdacadbdeca708621d34905b581908f3d51708bd3dafb2792de664fb0898d6d78e93f72b76e52607e620413e190b2cb0b7781e36817b8e4bef38e57f

memory/1828-17-0x0000000074EE0000-0x0000000075491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.exe

MD5 d0c7f019a3d9a283a7a660fdcfc438c8
SHA1 ff8afe165454c5ad26220e6e48459a3d51efdf1e
SHA256 64dec760c38b700f5d5e6d7266f8ebbda4d6571da11d86cc4c3d95a48a02d5b6
SHA512 3d48886e6d665c24113f924948c5a4263a2af3e518ff0e88cdb2883025ed884f1da3446b43efd9a53e4421aa874d6bb6ceb0bea4dc98f32d52decb3fe60ae19a

memory/3108-21-0x0000000074EE0000-0x0000000075491000-memory.dmp

memory/1952-22-0x0000000074EE0000-0x0000000075491000-memory.dmp

memory/1952-23-0x0000000074EE0000-0x0000000075491000-memory.dmp

memory/1952-24-0x0000000074EE0000-0x0000000075491000-memory.dmp

memory/1952-25-0x0000000074EE0000-0x0000000075491000-memory.dmp

memory/1952-26-0x0000000074EE0000-0x0000000075491000-memory.dmp

memory/1952-27-0x0000000074EE0000-0x0000000075491000-memory.dmp

memory/1952-28-0x0000000074EE0000-0x0000000075491000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 11:22

Reported

2024-11-10 11:24

Platform

win7-20241010-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1688 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1688 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1688 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1236 wrote to memory of 2220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1236 wrote to memory of 2220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1236 wrote to memory of 2220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1236 wrote to memory of 2220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1688 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe
PID 1688 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe
PID 1688 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe
PID 1688 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe

"C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lieq6qms.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA362.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA351.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\30c09acd90a54ebb70b0fa1527505cc1244f01fbe375c30530d735b615b65446N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/1688-0-0x0000000074F01000-0x0000000074F02000-memory.dmp

memory/1688-1-0x0000000074F00000-0x00000000754AB000-memory.dmp

memory/1688-2-0x0000000074F00000-0x00000000754AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lieq6qms.cmdline

MD5 be940e1e9f7e26623414714605318410
SHA1 c1d429f2e3416710b26cd2bc7188b4a0fbf7299d
SHA256 0246d56a67f3de3337d23953c02a4f20d46f0a0caf74e8bc3aff1f6a3614aa2d
SHA512 5d654ad845589ff379d4fef2e3a55bcdf79a52197780791dabae541a168a44ff20b321d837f95e11a9d93da4fe18cfb942939ae4c105b265933735fc2759a8b5

memory/1236-8-0x0000000074F00000-0x00000000754AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lieq6qms.0.vb

MD5 abd00e1faceee6d0117c718905f6c7a7
SHA1 7f2b78a37e11aa41483d046a1ae356797fee9de0
SHA256 0fe5dcf596e48cb9b62b71469bc5b2f39283969831ba02ec01d0eea56b90e4df
SHA512 52078a697fe59d7d9f3f53661ca9b44efc97106e8e153b9675762ce90f27607bdcaf00146fa8d88767974fd851b7761a0a521d4ef9e3dc4cc58ea159bf7e2ab7

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 484967ab9def8ff17dd55476ca137721
SHA1 a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA256 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA512 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

C:\Users\Admin\AppData\Local\Temp\vbcA351.tmp

MD5 7402ee4455ab376a7495ffd72b57235a
SHA1 be5a936be83e896a7a43e560f36b87b804f7999f
SHA256 4f68aab4ee50f5c81274f3e8f29cbe67ad5d3b5d8277b54e84b68c676caf091d
SHA512 f0b5ebb89140e7dae51ce3417d1d36ffebc5231327ae5cba4eddfa32ff5cfcdb24ac772451d242b494659577fc6e59c08f2093887bce83dfe538d5c1c9e47827

C:\Users\Admin\AppData\Local\Temp\RESA362.tmp

MD5 8045584cc180d81033a1bae5e8fbd642
SHA1 5bcd8598247c434bd46e4af2443f3a4c03264ddb
SHA256 65343ea69eba57220412cefa19a836edba73c8fc95f0334038deba1c33008ac1
SHA512 84553f4ed9a367b0c4e03ba2db6d865c122712e388a4b97755e3918f5decfce76bb06f1c2bf36bd6ba1c8f77ad5ebda24e2e5b2b52f3d28cae6a30e1608606e1

memory/1236-18-0x0000000074F00000-0x00000000754AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9FB9.tmp.exe

MD5 56343538b3c7a311ae759a5d54c171e6
SHA1 b072fe277ea1e887b78486905117a4719ee45c9c
SHA256 11f419e0ce8f6a24b62cbc4e6a4a0ee07a616fed678daf21ba85d1b445405140
SHA512 f22279675fc1020fe14832cec29d8313045e7db292558db2b31e86a69f0a615d11ae69deece56689c9e5c5c45c2200417c5eec5afd596edd2cd2fb9c334ce386

memory/1688-24-0x0000000074F00000-0x00000000754AB000-memory.dmp