Malware Analysis Report

2024-11-16 13:11

Sample ID 241112-tvkraswgjm
Target 29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe
SHA256 29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94

Threat Level: Known bad

The file 29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

Metamorpherrat family

MetamorpherRAT

Loads dropped DLL

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 16:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 16:22

Reported

2024-11-12 16:24

Platform

win7-20241010-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2492 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2492 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2492 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2456 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2180 wrote to memory of 2456 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2180 wrote to memory of 2456 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2180 wrote to memory of 2456 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2492 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp.exe
PID 2492 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp.exe
PID 2492 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp.exe
PID 2492 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe

"C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4mss3g5a.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3AEE.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp.exe" C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/2492-0-0x0000000074DA1000-0x0000000074DA2000-memory.dmp

memory/2492-1-0x0000000074DA0000-0x000000007534B000-memory.dmp

memory/2492-2-0x0000000074DA0000-0x000000007534B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4mss3g5a.cmdline

MD5 8ab48d3e951fbcb98b8672818b258504
SHA1 88275ce3b7718d06bfb2f75a2aa42b94b4688df9
SHA256 1f1ebaaa8e305ca08c4dcde38f3dcdcfafe87a2ee764c90e54ba03ab005cff20
SHA512 b68d94108687485ca54413bf126721773bfc4ce181cc17b1860e0ac5e1d41e719df71666315b80abac67d1efa53ee42ba61a6a82d455c87c04a62ac266c0bded

memory/2180-8-0x0000000074DA0000-0x000000007534B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4mss3g5a.0.vb

MD5 38c481bdc30be878567d895861a73aba
SHA1 95fbdfa5207482a9a1a5297aab8a62a8a23bf834
SHA256 eff2fda7ca2fb4c47bccbdf222e7aa26131142a2114ffbfe067ea7afba4b94e5
SHA512 fc10ba5d943c2fe890e6d55d9dd2e82a4469316c253d92abd45767e65ea82f43b1d9a02a4b0232041e9801842dd745e3d59df950da2280bd8f9fd2f131b52bec

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8b25b4d931908b4c77ce6c3d5b9a2910
SHA1 88b65fd9733484c8f8147dad9d0896918c7e37c7
SHA256 79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA512 6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

C:\Users\Admin\AppData\Local\Temp\vbc3AEE.tmp

MD5 27f09b269676a8ead0e6be5a913b8e0f
SHA1 e598d387cc7f16b95358547f75fd91506ea6b19a
SHA256 32ad988fb73360a38e51629caa6908c8f4079229144f6ea3ad6974fdc3202e31
SHA512 291a3cb977a277c825d2eaa8058837aa4004bf1f53239f56f08e9046fcaa1bb7323188111c528da45b58cb10304a2b97a28ae67ba1b9dc05ce4fe6615f2903e9

C:\Users\Admin\AppData\Local\Temp\RES3AEF.tmp

MD5 06c6fb01187dfd6f4a2833adba2ef8c0
SHA1 7a662f33eff59bd034da9075938759e735bcb550
SHA256 5bcdfa5f06f62d957808a467364564d4e6d88ed455dca1b836d27567e1a32787
SHA512 b80c33ea1875cd15c7b7a3d3da63eba0a681342e11de49bab314ad46195fb1f4d350b2df50a7efc2d4630ccc88a0b29183e1b2d794900d4bc5fac3dc1cbfd581

memory/2180-18-0x0000000074DA0000-0x000000007534B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp.exe

MD5 5e2c76b14ab56dcc7d9e06d5f95493e2
SHA1 198447e4cd0d0bcabc506e960ff97e60fa571b75
SHA256 65692e6bfecdd47721bea4f69d5575bb4e517ec65fcf69cc1f5870040bc30da1
SHA512 9e989ed9f521790a9b73ea0723baf8b3d3ce3e3782817c01c3ea55cedb9c253c3978dab6225ae8ebc693de0921208d61ee2ab64db7aeb7b4c95da5c1307eb673

memory/2492-24-0x0000000074DA0000-0x000000007534B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 16:22

Reported

2024-11-12 16:24

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp79B4.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp79B4.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp79B4.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp79B4.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3644 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3644 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3644 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1464 wrote to memory of 1056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1464 wrote to memory of 1056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1464 wrote to memory of 1056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3644 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe C:\Users\Admin\AppData\Local\Temp\tmp79B4.tmp.exe
PID 3644 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe C:\Users\Admin\AppData\Local\Temp\tmp79B4.tmp.exe
PID 3644 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe C:\Users\Admin\AppData\Local\Temp\tmp79B4.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe

"C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w3cbyzos.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc923C69509D4A4D34A674E65432E942BA.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp79B4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp79B4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\29cd8f175cd863282a7ae07872ad2579fd9cc5c42a00b878b3dd9d8f90dcfb94.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 104.208.201.84.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/3644-0-0x0000000074EB2000-0x0000000074EB3000-memory.dmp

memory/3644-1-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/3644-2-0x0000000074EB0000-0x0000000075461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\w3cbyzos.cmdline

MD5 94d94c041358fbdbf836ff00178eb8be
SHA1 a21dafa5c171c4fa769ef6253b8c1a43cc7e99af
SHA256 e4b1e58b57fa5f21d8344dbbe1f660443c2f3f17b151e70268bafb159369ce86
SHA512 0e1037930fd23f4e9a6e5ba6c9d1d3104ebc15181d63b223f2768304c0c39eb1610f6a3e754ac4822d70f371f85a503901987c508621ae296ac270ee9b1f9c6d

C:\Users\Admin\AppData\Local\Temp\w3cbyzos.0.vb

MD5 75d528267c5b44248454d85ef62da806
SHA1 2afaa29286c1fbb7b43e83285e3e3e588444033e
SHA256 f56df32264f61a1943f46b2141a8930222451c6db0ae32c262b7b601859b17e7
SHA512 970b35bfb3b7172d4314d4a17b760598a650ba4d894b829645b2e69d97ca0e3038816b98ca5e46b14c6892b43a69cae89c3f6cacf8dcc77c4955d7d9ccbb8758

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8b25b4d931908b4c77ce6c3d5b9a2910
SHA1 88b65fd9733484c8f8147dad9d0896918c7e37c7
SHA256 79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA512 6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

memory/1464-9-0x0000000074EB0000-0x0000000075461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc923C69509D4A4D34A674E65432E942BA.TMP

MD5 8300de003d873d7f79633f20925028fb
SHA1 f41e6f5069fbde633584cdbe991849f894c65ae5
SHA256 3de3605da24876224dde7069d8119af572fbc64687089750017faacda25d5f07
SHA512 cdb9e7b98b3bee23d0c81dbbbdadf5ef2f709801ae8f7bba3d88b9fa710336dbe27d741bb5e76c64820641d76cd1ca838c1614363b97696c9d5b3abfe9a2b853

C:\Users\Admin\AppData\Local\Temp\RES7AFC.tmp

MD5 eb8ae20e20234e76165ea15d10629768
SHA1 b3f51ad8dbfaba891cc7d02b80fa55bb8df6ed5e
SHA256 0cd799c0dcb35abf434bb2ae9714b66bc6af321575fe091441f441f07a3b6580
SHA512 338d040e8dc28b7160475e1f769841c382d3008a70142172a0f5ce370530945a27a4677601febe99e40df66aad3fe8bd873f7c8cc85cbee34194322340928471

C:\Users\Admin\AppData\Local\Temp\tmp79B4.tmp.exe

MD5 9b278b1910f42207aa7692af044bf72f
SHA1 3825ae05ba75ae3bce6d7d99d2c39e8c36f755a9
SHA256 00354fce48a7eaa9debf2b0f82096fd209de7cbc135cc9acd8065a59dc5d1fb7
SHA512 ea2629fdfab9ad688f1a080befa4fd42d1eb1ff43b7e719597e1ca3ecd419bab4eaf2d17fadfb59885d15e5457aafb008aeac0ffd425ac75b1c91031b292f801

memory/1464-18-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/4872-23-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/3644-22-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/4872-24-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/4872-26-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/4872-27-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/4872-28-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/4872-29-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/4872-30-0x0000000074EB0000-0x0000000075461000-memory.dmp