Malware Analysis Report

2024-11-16 13:11

Sample ID 241110-pk183szldm
Target 205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN
SHA256 205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242c
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242c

Threat Level: Known bad

The file 205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Checks computer location settings

Uses the VBS compiler for execution

Loads dropped DLL

Executes dropped EXE

Deletes itself

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 12:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 12:24

Reported

2024-11-10 12:26

Platform

win7-20241023-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2396 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2396 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2396 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2580 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2580 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2580 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2580 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2396 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe
PID 2396 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe
PID 2396 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe
PID 2396 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe

"C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zwlrmsbb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC9C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC8B.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/2396-0-0x0000000074171000-0x0000000074172000-memory.dmp

memory/2396-1-0x0000000074170000-0x000000007471B000-memory.dmp

memory/2396-3-0x0000000074170000-0x000000007471B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zwlrmsbb.cmdline

MD5 40c419996a277b4bbed1a64e7b2231a8
SHA1 0c2b21157736ec9c7443d5e2c279b04161df37c3
SHA256 deb05f703cada602e65f4a677d1a0fa47134dbdb1615234c3daf0a2daa227610
SHA512 b20e1d179a299f072abc9f5ebee2687c7a5aea338f2bb048bfb77b2814b221d142ece76508a98380bf84ed6f920aa5d5cce6e97efe0a83abaf4c25ad3dcc4886

memory/2580-8-0x0000000074170000-0x000000007471B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zwlrmsbb.0.vb

MD5 1b4307200360aeed8738bf3048f589f5
SHA1 b2ca97d7064d59f38e2a4e3ad148a9e42404e351
SHA256 f4630cf388def51c9aa8efa47c006daf310ac33fb32007881b839e9098c76eec
SHA512 5f8ce2d0b7fabf274b2f6002698198650aa8fe5edc95761e59cef2bd70a63b33aa7e48dc28e5548676b839f3beb32bd1913314963bd001976ef4427cbaca4053

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcBC8B.tmp

MD5 dc6fed78bca8f74a9b182192659e3c16
SHA1 44b25cca962c2e1f61dbbd5f358d1e308a7b7764
SHA256 fff93982294bec27e1dde6ac72cc67c55b0cafa492e1201e30d4197e008ffe33
SHA512 1dd0a8c646a227ca86a732be9690b2edd20022981448ec87286731c6b0681b746656e44aa5557ae5becc1c90824e693323e7bc83d785033aacd60833c97c09cb

C:\Users\Admin\AppData\Local\Temp\RESBC9C.tmp

MD5 a4f959f886a4ebad6fec233c02cb65bd
SHA1 7e09654ef631f85ffc01840cf3a348cb87519358
SHA256 c26d6ceab69ca50d5f5cbc5106162e2ee0f121a0aece9a444fbca9e32b9672ca
SHA512 b3e859a95202b09d83a23f52920c8e40ec4cbbedf8af7b7e2615bebaecba36f84c1c1a3547710ba8484259178310059615887eea79853279c92e5f23fd004689

memory/2580-18-0x0000000074170000-0x000000007471B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp.exe

MD5 c5194513e68592091082593335858a81
SHA1 58542b8d41aeda842965a1b3ddf3a78e53a56d60
SHA256 fe1f1b1904d24c5cd0ec682adb4f520c41bc41a54aae7a7d8e8ceeda5f4469f9
SHA512 8fa7665045f08d33289ddd7fabe26d5d959cb71f65a5460d43f14263b421b773fd7d51808f5c9cb486086b7fe0d365c2358817edbb36082cb472f5cbaccb9e0d

memory/2396-24-0x0000000074170000-0x000000007471B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 12:24

Reported

2024-11-10 12:26

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1648 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1648 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2520 wrote to memory of 2956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2520 wrote to memory of 2956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2520 wrote to memory of 2956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1648 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe
PID 1648 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe
PID 1648 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe

"C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m5qnebmz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E55.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDC1AF78F5E35455E88AD7A4124FC6BCD.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe" C:\Users\Admin\AppData\Local\Temp\205b934780ec4c225c3150bbae0786b3e92fb6474f7561ec0f8a256cfb65242cN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1648-0-0x0000000074E92000-0x0000000074E93000-memory.dmp

memory/1648-1-0x0000000074E90000-0x0000000075441000-memory.dmp

memory/1648-2-0x0000000074E90000-0x0000000075441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\m5qnebmz.cmdline

MD5 2e78c7850f9468a75c99ee752b527980
SHA1 3394f05848892cabca58ab42886a6495f3c62eed
SHA256 ff169386ee69289f880ce7f9f357d43f46efa2a0162859d4c93284f89e3102df
SHA512 9fef2aa449cb0caa80474dc9e7bcd13a6437cf60aff8f65e65c46272a9cf211cc21850c8252bd842f9d33c09c41ed9c206bdca9d7ce03251a274778323cb1fb0

C:\Users\Admin\AppData\Local\Temp\m5qnebmz.0.vb

MD5 73807e3ec95635d5e644015cda7a816c
SHA1 7042ae3a9d42ab2ba8845cfaba2023da39c64980
SHA256 e2a033cec2d638760cec8222cfb62cfd1ad95fdeeae59074fdce90dce425bd86
SHA512 dc4805bf8be4c9f4834f54f2ea9642cfa4a1ddcee0761bbfdbe8155752d4945baee43e413fc6c1fdc1df42934cd9fb38bacfe8c9de5762ae3b3e2c6211131b75

memory/2520-9-0x0000000074E90000-0x0000000075441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcDC1AF78F5E35455E88AD7A4124FC6BCD.TMP

MD5 6c12edec29debd4b59e6605230a4b284
SHA1 f3a5bc427349534b4a702e9d8ddd715a8880d503
SHA256 0bb208a2bed30886af6ef7aa16bfb8d4a5c33c4f522869db96ae1b23466707ab
SHA512 0223ba2227def9537fcd25f119ec2087101b94edb317a490f01a2113a19d80c2dfb1e8f524eb4fe44f101efd2a80c0797e534ecd75f1630171ac369ddffb62e5

C:\Users\Admin\AppData\Local\Temp\RES8E55.tmp

MD5 b6af9d4f5e05b63af78d8dfad8e0d50d
SHA1 c57e360c3bdc053f52ece80bc9116007a236476a
SHA256 01cfe9edaa9f356d5fe2efa95529bdccb9b642c36566f8145abc6e8fb389a205
SHA512 7c0c0e0d2e7ef23dec812f6aec0d999e7b683e6d2f915bf48245b764979e0532383741df87b70af57a39126359acbd32fd3070c8e242979d4d9e578874b0bc5d

memory/2520-18-0x0000000074E90000-0x0000000075441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8B38.tmp.exe

MD5 14774de259a0fe46c8f11f250027bd71
SHA1 7c382fe7ab89ec693de0ae70e83c7b84f85d3114
SHA256 b4c69a2f85ebb409756b23832c3897cb3548accddbf9bfcf974fbd67a43c699c
SHA512 3dc996b9005bbbb74b4541291e02d60886cc921eabb7e6ffab733789e0575803da6c9e55f3d9cc339d3c53672ea4cd1a23367ac35f04cd21194962ee5824f042

memory/1648-22-0x0000000074E90000-0x0000000075441000-memory.dmp

memory/4312-24-0x0000000074E90000-0x0000000075441000-memory.dmp

memory/4312-23-0x0000000074E90000-0x0000000075441000-memory.dmp

memory/4312-25-0x0000000074E90000-0x0000000075441000-memory.dmp

memory/4312-26-0x0000000074E90000-0x0000000075441000-memory.dmp

memory/4312-27-0x0000000074E90000-0x0000000075441000-memory.dmp