Malware Analysis Report

2024-11-16 13:11

Sample ID 240409-cjpsfaeg7s
Target c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25
SHA256 c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25
Tags
persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25

Threat Level: Known bad

The file c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25 was found to be: Known bad.

Malicious Activity Summary

persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 02:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 02:06

Reported

2024-04-09 02:09

Platform

win7-20231129-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1108 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1108 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1108 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1108 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2968 wrote to memory of 1308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2968 wrote to memory of 1308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2968 wrote to memory of 1308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2968 wrote to memory of 1308 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1108 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe
PID 1108 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe
PID 1108 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe
PID 1108 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe

"C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hqsesjwu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC0.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/1108-0-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/1108-1-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/1108-2-0x0000000002210000-0x0000000002250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hqsesjwu.cmdline

MD5 c0acac0e4866d715ad98faa8ca56bf24
SHA1 7caac48be7c5a38332736a10c462f3ee78f40e32
SHA256 1435c5efd868dc873af620ba24844a617f9d4781151afe9eeb2cf67bc3a9f709
SHA512 b063e7cdd4540218b7adad2800d9b83048fa0f29319fcb26ce0f2bb2931fd792aa4ac51d9119349086d8c119bbfba9bcc297789d1c6c982230cb5979976e9ece

C:\Users\Admin\AppData\Local\Temp\hqsesjwu.0.vb

MD5 cabc418c9232104a7f8e951599fe9fdc
SHA1 1d0ea1545723c6b0c424ff888fdc5cf58b37e2c4
SHA256 ab72d02776790f86486a354c901af394f5d1c141627a8654839c0e548070b3e9
SHA512 1cf3888fe037d6d18ba6fe5e5208993804a2155ff8a0956c9fe8d303410687f0ba54aa0f3ae59c1ebd7105f52730e0c0bd6b79dbe7b9ab889261758b91dffca6

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbcEC0.tmp

MD5 8662a00c0a86fcd78092cac8d12f7ac7
SHA1 eb0bd52f284876d113fcab1d8df94af4c516baa8
SHA256 18f582b49439b5a20cc0d71060689e6486372f1e3b79d8c413ec44c8f7d5fe8a
SHA512 0466f34c97388809bd268088e4909fc158791117d3afde98c45c6753b9bcc319e90a849095013b8a14ccb2927d216ca7d8cda9c62e8d7112f087cad5492307c5

C:\Users\Admin\AppData\Local\Temp\RESEC1.tmp

MD5 68f9774225eaafb08266764a33dae62f
SHA1 a25e1681086a185b83860cb03f6d2877983406f7
SHA256 938b4d0630d90155ef89d5b009ed9b186e64ac9eea6ab38b2095d173054f5f7b
SHA512 06472e457d6b9e55ca91cacd7603769cc80b1319a670c8c0f15a413c2acb99723370f7b84336fe539f73e8b8811aa09d63dcd0ca6c00e16cf1326f6b50149a36

C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.exe

MD5 61edab1e6c3c740becadd2afab08d23d
SHA1 2197e4295432e4d2eb669deb988b80f79a6c77f4
SHA256 e6c70b1b959b89b8f1fe2235d4a96b00b3d14a558162c50496ac62c0c0f7bfcc
SHA512 dff8da05a16059af7ae176c124d85190ef38746d1ddd4ceef65aa5ce2be04571fbb3be4a4b96a51642918b3b39fa6b2c6493c60e3088bca77d9bc8d0ad74e5da

memory/1108-22-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/2792-23-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/2792-24-0x00000000020B0000-0x00000000020F0000-memory.dmp

memory/2792-25-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/2792-27-0x00000000020B0000-0x00000000020F0000-memory.dmp

memory/2792-29-0x00000000020B0000-0x00000000020F0000-memory.dmp

memory/2792-28-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/2792-30-0x00000000020B0000-0x00000000020F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 02:06

Reported

2024-04-09 02:09

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3345.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3345.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3345.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5084 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5084 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5084 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 64 wrote to memory of 4260 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 64 wrote to memory of 4260 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 64 wrote to memory of 4260 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5084 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe C:\Users\Admin\AppData\Local\Temp\tmp3345.tmp.exe
PID 5084 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe C:\Users\Admin\AppData\Local\Temp\tmp3345.tmp.exe
PID 5084 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe C:\Users\Admin\AppData\Local\Temp\tmp3345.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe

"C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bxegukxd.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES343F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5337CD363044907AF3CECB35CADDAD4.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp3345.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3345.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c22eca5cdde3c35ee9e2813ec6b43029c8f397f7e7e75180066304be08d00e25.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/5084-0-0x00000000750B0000-0x0000000075661000-memory.dmp

memory/5084-1-0x00000000750B0000-0x0000000075661000-memory.dmp

memory/5084-2-0x0000000001380000-0x0000000001390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bxegukxd.cmdline

MD5 52fb153f6a743c771856ecacb16ef07f
SHA1 a0f9d82f727209daf0914af224600338bd0ef248
SHA256 81e8e110b501e036ccc262d2e3474b875e287788b5004d0e91f35c8cfcbc19ed
SHA512 ead4e3c4c592d20ec032cb858309c3e03497bf3eb8196abbf6c0cd9b749da4310b09d59dae9e27e2b37c79ed9c9d0376b1c7bd38e1df72b363799f03a1cb38f6

memory/64-8-0x00000000027D0000-0x00000000027E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bxegukxd.0.vb

MD5 e99ebc6bc24a2bdfcb4ec637ff57c064
SHA1 897c979880d5ca1e4c382f467ac46fe32f3d857f
SHA256 072b4d402cbeaab07fb9856746baad33cf0c922e5648016affc6b09268c4dfce
SHA512 2b2150d7c3ebb20c255a6856c69dff0f7557ed10a22109a22ea5c0162c2ecde5f7ffa7eacf1f6d234a677b278c4a1e6c70226882ef7ec46b9d4187731e25e8d6

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbcC5337CD363044907AF3CECB35CADDAD4.TMP

MD5 3dcbc61eac7e753d6d81c040ab411093
SHA1 0198c87b5c013b0623da380053ef6c248ffbb04a
SHA256 ea173764d58f963cda1ad7a4fcfa4fef48cdc5e6f3490371d2619141c799f8dc
SHA512 dad9a8cfb05b392d32a38ec45c402836dcb6ff70a3eaf9624b852d5a10a757ef3786fca96b88c8dec46f110f9347f0457c27538fa98f2e8aefe16a7a82e174b5

C:\Users\Admin\AppData\Local\Temp\RES343F.tmp

MD5 396704f7b1099528db2e8d2670c92bd4
SHA1 dc6799ed13c67805b8026f063ea3e3561e8399fa
SHA256 7f2130d7d3a2256639bdcae7ba7aca5e42e021d74bbd13ba775839bf75c8ae15
SHA512 0f61519915b634e2b65677499b5000af4bad91f7d67d5aa4296e3eab1617ec594eb3646a6db7bcf76d2e033d41cd27282aa1647aa56dfb07576df7ceebcb72ae

C:\Users\Admin\AppData\Local\Temp\tmp3345.tmp.exe

MD5 b0b093af02128503a7ab8f8d0183289e
SHA1 85be34e86f906aee0428d8e0d6dd6568ec277dc8
SHA256 c1beb34f739a86ab382d63431efd640b81fcc73c520f0b2a42448c5dbab32b66
SHA512 efd1ff2d9ac697d634a5eb8670fc576d64283c6a652b612db67b240e562730380f5163680fefc1422134cdf498f38724bfc6d02fe2c71092b4c90b78827e1ea7

memory/5084-21-0x00000000750B0000-0x0000000075661000-memory.dmp

memory/5036-22-0x00000000750B0000-0x0000000075661000-memory.dmp

memory/5036-23-0x00000000011F0000-0x0000000001200000-memory.dmp

memory/5036-24-0x00000000750B0000-0x0000000075661000-memory.dmp

memory/5036-26-0x00000000011F0000-0x0000000001200000-memory.dmp

memory/5036-27-0x00000000750B0000-0x0000000075661000-memory.dmp

memory/5036-28-0x00000000011F0000-0x0000000001200000-memory.dmp

memory/5036-29-0x00000000011F0000-0x0000000001200000-memory.dmp