Malware Analysis Report

2024-11-16 13:11

Sample ID 240410-gd9mwaeb76
Target 1b8daf3e4c9c5407447c3c96e0b0ed7b
SHA256 37dd69272c8cb247c3bb56283a9a786cc5cde3abaefcfead2067f81106f64d4e
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37dd69272c8cb247c3bb56283a9a786cc5cde3abaefcfead2067f81106f64d4e

Threat Level: Known bad

The file 1b8daf3e4c9c5407447c3c96e0b0ed7b was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Uses the VBS compiler for execution

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 05:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 05:42

Reported

2024-04-10 05:46

Platform

win7-20240221-en

Max time kernel

215s

Max time network

247s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2996 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2996 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2996 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2764 wrote to memory of 1884 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2764 wrote to memory of 1884 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2764 wrote to memory of 1884 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2764 wrote to memory of 1884 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2996 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe
PID 2996 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe
PID 2996 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe
PID 2996 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe

"C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pejrj70a.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C04.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C03.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2996-0-0x00000000744A0000-0x0000000074A4B000-memory.dmp

memory/2996-2-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

memory/2996-1-0x00000000744A0000-0x0000000074A4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pejrj70a.cmdline

MD5 2ae027ea022ce6db49f4d6f11af059a1
SHA1 76106da7b68864a623b842b5e40cd357c98a1455
SHA256 157a957c2086c76eadfe8e03add031f18fcb984a859d8762f91eba97c13dae36
SHA512 63e888b970f73bb84dd9758b58931d160fbfa26a5fef65c28ce3d2e9b739b9c762abce5769e8fd2501664fc2b4144b4036bd97c12d74042dfd510d25f6175a6d

memory/2996-8-0x00000000744A0000-0x0000000074A4B000-memory.dmp

memory/2764-9-0x00000000022B0000-0x00000000022F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pejrj70a.0.vb

MD5 610e072cfc9c7f9030af6bba8cc4c665
SHA1 724e1fd137145d37028856edf83e96287606605e
SHA256 d5d56aca6147f675cd95d81c8f0588e35b019225994fc97a66f376410456a1c6
SHA512 cc2f61226e1ddbe9e179c2771b6982db9f28bb2f77feeedef7b406eaee35de797f9d9da3fb785bf1f5bd445ce925a20b7283da5a87e958b6ab77a8dd01cbc2ae

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc7C03.tmp

MD5 456a3608ec7178f94adc01fe3c8c3d2d
SHA1 9bfda8b56d31e492e8881045270508737779873b
SHA256 eb1b044d82abb8bca7c5ad8aab130d783d5bb81f25c15e5331facbcbd4aea9c5
SHA512 d2643c1f67dd855b44dd2c96c9193f11e567ab7919d3feeba596624e4bf5ecd7e23321e5c63da4638299aa69ba6b48c0726fa7eceff2765446f202ae8847cd70

C:\Users\Admin\AppData\Local\Temp\RES7C04.tmp

MD5 eee25a938ab0889f04c0f132022ae326
SHA1 165d44fb4dea19d9b2428576445a2d01fd22742a
SHA256 d12eacb0bed784691a4b4df358c8bd1882a5e8b130133b7f9af920f82f7fc60e
SHA512 e26c914829587388b8439199f2ab7283c685e80debb4fa9dfb26d50577bd54dd45eb8f1c332902d635f4a269c10fff034f0246ac82affe6e4293e0accaa505a4

C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp.exe

MD5 d49ae592d8fbfadc2a860872fc548df0
SHA1 a9a1847c22c173027b6d26169b6934de86c17d70
SHA256 5fdec8e7b1fa5e61438cf123f79f1c6add5c435db6b273fbfa662051f8e29839
SHA512 a2ef68e24c43d95ddecc58282b4a5bb2b6a6b660c47390d0979133e2c26c33295a6b8fbbceef078f7b92f26913a9358e11495a1b6fba69d8a23238b367585f9a

memory/2492-26-0x0000000000580000-0x00000000005C0000-memory.dmp

memory/2492-25-0x00000000744A0000-0x0000000074A4B000-memory.dmp

memory/2996-24-0x00000000744A0000-0x0000000074A4B000-memory.dmp

memory/2492-27-0x00000000744A0000-0x0000000074A4B000-memory.dmp

memory/2492-29-0x0000000000580000-0x00000000005C0000-memory.dmp

memory/2492-30-0x00000000744A0000-0x0000000074A4B000-memory.dmp

memory/2492-31-0x0000000000580000-0x00000000005C0000-memory.dmp

memory/2492-32-0x00000000744A0000-0x0000000074A4B000-memory.dmp

memory/2492-33-0x0000000000580000-0x00000000005C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 05:42

Reported

2024-04-10 05:45

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp465F.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp465F.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp465F.tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe

"C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hw5yxc7h.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4798.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDC1F2991BF44427DB19013C125CDF29E.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp465F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp465F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1b8daf3e4c9c5407447c3c96e0b0ed7b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/512-0-0x00000000754E0000-0x0000000075A91000-memory.dmp

memory/512-1-0x00000000754E0000-0x0000000075A91000-memory.dmp

memory/512-2-0x0000000001420000-0x0000000001430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hw5yxc7h.cmdline

MD5 999298a96931f81d0a1beab6a567111f
SHA1 59c721b4d24d96d177ecb2d514d27420bb6c65f9
SHA256 fb6617968e757fbe9c26a5f8f74b5dc1dc69ae430814f7ea749bb87d57f57bf1
SHA512 d01c3d34f02eb4167e59fdbb2cdc36f25e5c9a9dc882bafc617f1038d86ae61f30f9ec7870c73e3011c1941a338410a5402e0047ec648b4d4568643e0ec7cb6f

C:\Users\Admin\AppData\Local\Temp\hw5yxc7h.0.vb

MD5 3ecbd452fe9e2ee1c19459876f1a77e1
SHA1 24baf074ce72b8df62c1875db8c51443bc9db2ad
SHA256 225cff039d7e378538b38fef7872d51d34cfe2dfb7c6d91f8dccc237de88cede
SHA512 781d1f3c4ef2b408387d3f6844fc92250c2f5b88e413044873ec5ffa718ae51b13c4d304373f9009021f697822194421f6138e2bbb07b4f4910662d527d91bf8

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbcDC1F2991BF44427DB19013C125CDF29E.TMP

MD5 e9b2a3317f4f4247e9a2bd5bb867cba4
SHA1 7f25ce09851149a1b2fe69aff1cda2f91989f6e3
SHA256 5eeccc593bce775bf2b3d7c9350295a06daf4c1eb7768e17ca6c578634d97cf1
SHA512 764501bbd583f6f9bd10ae3491a8c54f91b6bf1b715f5f8481a75bebb5e667f7cffa213f796634fadf9d35e0fe68cfc0e83e727c8ab0a6613779a108003add98

C:\Users\Admin\AppData\Local\Temp\RES4798.tmp

MD5 514851e196fb0a8a0f2406fabdb5585f
SHA1 7807fa5f4e0b2cfbbad78fc5e85ad9c5fc1114be
SHA256 88ed0ed3e2a40598e1590aec06e7a9b364b6e8bfb23b9a81f743dffe44873a9a
SHA512 8149ca8ffdf4d108ae24f2ec7f936e763041b8fc29d0e85473b55b956bc77ef9f9de4af256024caa3f3cac6a297bfa121616bb1f3b11c5dc2d6a01fa3e672db3

C:\Users\Admin\AppData\Local\Temp\tmp465F.tmp.exe

MD5 5ad16251568f54c50b1088b225801355
SHA1 8c03879b16ae537a39b9a7d14d7907b423908d33
SHA256 3829a534059cbaa22c1d147e7977b0c1d56729db6119ba4d29a0524ce77da127
SHA512 5ef1191aa26d742d29acc46ea88746e25db2b23f72491fe9e5e349a1e635eb0d2e2dde3e54d373748c2701f7e73f93e859bbc7b4b01abb71d5f4cfff0cd24f8d

memory/512-20-0x00000000754E0000-0x0000000075A91000-memory.dmp

memory/516-21-0x00000000754E0000-0x0000000075A91000-memory.dmp

memory/516-22-0x00000000012A0000-0x00000000012B0000-memory.dmp

memory/516-23-0x00000000754E0000-0x0000000075A91000-memory.dmp

memory/516-25-0x00000000012A0000-0x00000000012B0000-memory.dmp

memory/516-26-0x00000000754E0000-0x0000000075A91000-memory.dmp

memory/516-27-0x00000000012A0000-0x00000000012B0000-memory.dmp

memory/516-28-0x00000000012A0000-0x00000000012B0000-memory.dmp