Malware Analysis Report

2024-11-16 13:11

Sample ID 241112-fb5epstrbs
Target 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe
SHA256 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7
Tags
metamorpherrat discovery rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7

Threat Level: Known bad

The file 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery rat stealer trojan

Metamorpherrat family

MetamorpherRAT

Executes dropped EXE

Checks computer location settings

Uses the VBS compiler for execution

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 04:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 04:42

Reported

2024-11-12 04:44

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2160 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2160 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4916 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4916 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4916 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2160 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp.exe
PID 2160 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp.exe
PID 2160 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe

"C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ic_newhd.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF57E8BD453CE43989F8B5AB0665586D4.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/2160-0-0x0000000075092000-0x0000000075093000-memory.dmp

memory/2160-1-0x0000000075090000-0x0000000075641000-memory.dmp

memory/2160-2-0x0000000075090000-0x0000000075641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ic_newhd.cmdline

MD5 f0914c9ec11c9e956563ae1387ca291e
SHA1 2472a8bc4e4b180f7ce4397a1fbea47d40797c9b
SHA256 6da8ac7f60c10cf7c14b584a87978e907a74dfbcaf89f6d1913d92da17ad05a6
SHA512 8fc049513e24a90efaac7e8a129c2567435ecfc722693b0857cc3401a5f9484659fe8ffa5213297f5ed359b63dc72be8d02761083922f6ac9f6d3f2db31f4ab2

memory/4916-9-0x0000000075090000-0x0000000075641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ic_newhd.0.vb

MD5 bac0467574e6b1d230de001a09f3b9ca
SHA1 1f83f858761398c33ab6a5530517db8a50202a28
SHA256 bf2fea91b8767dcc1037388f4be71a8e0b08a0381075327087750b23bfa50073
SHA512 82d678b9ad135deae6da900319f02bd91d3c40d3a6cf59077b490162b876104d5d21b165e4afc138c960278dc97fe03a409049239247ccd21f4cd1fa2e8f3fc4

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 484967ab9def8ff17dd55476ca137721
SHA1 a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA256 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA512 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

C:\Users\Admin\AppData\Local\Temp\vbcF57E8BD453CE43989F8B5AB0665586D4.TMP

MD5 6466d4aca48fc165a0ef43297f108e74
SHA1 1fb5a3c8fd19e3afa9b7b96f6dec0f714fc9919a
SHA256 329d3225e69f85423a777ed69542614724ba1a01f47fba2b8a65caf8f8e9b148
SHA512 3f4879254ba67190dc613cb666b52fcf287db0c5e18b76276d8a94b16855334fc298a61ab1054a3e3ab21b776912a8dc7d383ae99279e6af248f76679ad3c60f

C:\Users\Admin\AppData\Local\Temp\RES78BA.tmp

MD5 dbd68386bbd240981d216ceca729bcb8
SHA1 e185e3144306df86ad3cb85de5b72f121bed7abb
SHA256 51487161d5aa5e5657ef1a56414594b8fb8c067ca0a074ed1b7e90ef9ebdd823
SHA512 fec14bebfb48402abe71e5ecb759e26d49e828b5ea1c39c2b8a003c4dcd96399e2d0311b26ef986a0cfc7bdb49fd9f6e44c2f6364b405fd76018c56a05888e93

memory/4916-18-0x0000000075090000-0x0000000075641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp.exe

MD5 5409f928300529601f7c9d7b67058672
SHA1 98ed297a3faffc0fc2971004addce27ab935fec1
SHA256 30dd4c59d143ef605f84eb8025ac4c18cb60606778a64bc53dca78e36148f90f
SHA512 933204d03dc709739bd22080dc3b831785babfeaebc64eaa1af9b50cec0465f7bf7217b6cce34828a85c88a09382245668d7f64ac22aa080bac91c8522c2c6f6

memory/2388-23-0x0000000075090000-0x0000000075641000-memory.dmp

memory/2160-22-0x0000000075090000-0x0000000075641000-memory.dmp

memory/2388-24-0x0000000075090000-0x0000000075641000-memory.dmp

memory/2388-25-0x0000000075090000-0x0000000075641000-memory.dmp

memory/2388-26-0x0000000075090000-0x0000000075641000-memory.dmp

memory/2388-27-0x0000000075090000-0x0000000075641000-memory.dmp

memory/2388-28-0x0000000075090000-0x0000000075641000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 04:42

Reported

2024-11-12 04:44

Platform

win7-20240708-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2568 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2568 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2568 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1712 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1712 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1712 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1712 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2568 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.exe
PID 2568 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.exe
PID 2568 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.exe
PID 2568 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe

"C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\exelec5z.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB868.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB867.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 tcp
N/A 127.0.0.1:127 tcp

Files

memory/2568-0-0x0000000074921000-0x0000000074922000-memory.dmp

memory/2568-1-0x0000000074920000-0x0000000074ECB000-memory.dmp

memory/2568-2-0x0000000074920000-0x0000000074ECB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\exelec5z.cmdline

MD5 8c809f8ecf5be9c3b074e203eabdedd7
SHA1 fa525dab2cc18370ac99cc584f8f4f1d29ef4188
SHA256 a17e82fbba2475f35f9ad8536f9903dff3a0a79c5f12ed08dec89b2b66806c88
SHA512 650484a2c1964f528eee6167331ee3b02b4b11cf29f14ecac2971b62dd7df0bd4b5f421709cbdfdefcccce0e3f2034b9573d4dfa3227aeb9f46a3716c3844a02

memory/1712-8-0x0000000074920000-0x0000000074ECB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\exelec5z.0.vb

MD5 43b1d63cb62d52ee23f8fb5811de4821
SHA1 c33612fcbd033c42f293910e87f2fc2e0f5ab691
SHA256 73c30c8dfdfb8bc45fa3ba72c19ecc9116785b2f5edec8c7e5f9f383cacaa81d
SHA512 3f6fbe9f269d7b14cbf583f2c65df595e89e647ff6790d916940198acf9a9066264d484a5ebec257e8dd2ee163886f7b3d8b1f96cff416a13da8e827d7a0bdac

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 484967ab9def8ff17dd55476ca137721
SHA1 a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA256 9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA512 1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

C:\Users\Admin\AppData\Local\Temp\vbcB867.tmp

MD5 346322d427537e1b37608fbac3128676
SHA1 4260800bc97e3560a0ce5adfd623e22f57dc7e2d
SHA256 00fc2db797deb908c2c1e9fd6a1d4e2685bcc47fdc49bfbe5d88b10bd163e2cc
SHA512 15dc3f819a83d061fea9dbf2530705f1f993eec5c70bc28873658680c8ac99b523cdeaa257f576934b05c73945bfacba5a7ed7f73e21fc8f98644fd287d866b7

C:\Users\Admin\AppData\Local\Temp\RESB868.tmp

MD5 c1548d321d3d90c8a9dc1a542a84372d
SHA1 bbfa9fddddf9bcfb0461ea2dc7c3c2826c671835
SHA256 de9526b74757f3d07ee3d193ce7f84dec9f9d71d19d38ca7650c106e46474f2c
SHA512 3987b55b5fa508f9b26080486b40871f2eb641b266bc0ecec619511fee98b40ca865055897d30a90bdb2c447807ea62e8e22ad76f46d7ba3b109aca9cc4caac1

memory/1712-18-0x0000000074920000-0x0000000074ECB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.exe

MD5 a103730bcc25c9bbb81724f383f14115
SHA1 e8db52048295250c36b073ba17e59f0970afc645
SHA256 d30c161dbbadc245a1c15e85454e956ca80da1e28d52253d5549e445a2b4699b
SHA512 0da5db7e7284b43b05a495bbb37fb2e207e8a30fb3965ab47a803f6661005d2c03b27a89ffc1c9aefd2ecf2548da9418eea85ac187321d5ed0c89130f5cb387d

memory/2568-24-0x0000000074920000-0x0000000074ECB000-memory.dmp