Malware Analysis Report

2024-11-16 13:11

Sample ID 240411-yzmhxafc5s
Target 389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec
SHA256 389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec

Threat Level: Known bad

The file 389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 20:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 20:13

Reported

2024-04-11 20:16

Platform

win7-20240221-en

Max time kernel

158s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1640 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1640 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1640 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2520 wrote to memory of 2500 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2520 wrote to memory of 2500 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2520 wrote to memory of 2500 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2520 wrote to memory of 2500 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1640 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe
PID 1640 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe
PID 1640 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe
PID 1640 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe

"C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\thowj3zv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6BED.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 tcp

Files

memory/1640-0-0x0000000073DF0000-0x000000007439B000-memory.dmp

memory/1640-1-0x0000000073DF0000-0x000000007439B000-memory.dmp

memory/1640-2-0x00000000001F0000-0x0000000000230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\thowj3zv.cmdline

MD5 d2666d1f808625bf02f2ed044ffca0f8
SHA1 8a5310e84e114dcc78cf02f39ae85c18d4a8ea83
SHA256 0e326700811676f9702693a825259c437dd97bd7a50bd269a3539ff698b6ff2a
SHA512 ed71247c807f084910393f614ff337c57d4bb87e135beafa2c7fe3e3207c0fdc6f649903ef1c10de88de77d4d50f49b4942a365c391c923be2f68c0a6032ff92

C:\Users\Admin\AppData\Local\Temp\thowj3zv.0.vb

MD5 71a356e0457efc4041a817d97111eeae
SHA1 8948894c14a17c208ceca082cd0c0195d2299080
SHA256 84f09387033917b65f5c19c135a6c4adf524ef50da3806577dde838f3ad7b241
SHA512 1eebc3383e61306f34cce5fec06f6addd4279e0b99667bb5c231aa13e9a2fd53f6fde12e8414df0fab7f45554a770aee8951fbe40630cc53c64f1688432cb632

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbc6BED.tmp

MD5 11e244cd03743eb6803d67c4f6150cde
SHA1 1bce9583c33072f301651c6f38bc80e100afd092
SHA256 8ecca11964def559939f2c5e45899c9e6a4899a3dd988b6dc825b5c54faeca6e
SHA512 e31a4d5072c77ec580f82d6cf08bc7f547031027165dcd08272f8a76b3c295b1233972f7144e697e72fc8253e43fe2e39a9e8c7a5e311345f0a5d1213604bb58

C:\Users\Admin\AppData\Local\Temp\RES6BFD.tmp

MD5 ef028f39351163f145da547dccaa5063
SHA1 f8e438b1fac34071117ba6b190f99de9ce73fbe8
SHA256 b5e0db0ff04c3f133afd28876ee0565e4cd68ec99ffe847226cb31fc53fee2a7
SHA512 2b6336bee0d6de105df24ba415fea7645ddb33e76fedd3c220e3f82c2ea055190b19462fbbae46375aeb50f3e02c0abd14efa783fb704c0de156500169622c54

C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp.exe

MD5 e2090f7cc489828a963ea34f85057e44
SHA1 c6e2b1a29d050d35837ba28dca0003ba9677822a
SHA256 62afe098508c2407808e8efe7768b578d79093fae2b5810163ef897e260c2c80
SHA512 636fc4d344848c9b4e711ef661461b7b59bbd37c2e8dbe6404863041dc956e6f6d7558a7ce713d17966333024bd5b0fb0ca314067cff776e59a7ed7e1688f38d

memory/1640-22-0x0000000073DF0000-0x000000007439B000-memory.dmp

memory/1944-23-0x0000000073DF0000-0x000000007439B000-memory.dmp

memory/1944-24-0x0000000073DF0000-0x000000007439B000-memory.dmp

memory/1944-26-0x00000000002F0000-0x0000000000330000-memory.dmp

memory/1944-27-0x0000000073DF0000-0x000000007439B000-memory.dmp

memory/1944-28-0x00000000002F0000-0x0000000000330000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 20:13

Reported

2024-04-11 20:16

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA6EE.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpA6EE.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpA6EE.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3220 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3220 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3220 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4712 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4712 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4712 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3220 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe C:\Users\Admin\AppData\Local\Temp\tmpA6EE.tmp.exe
PID 3220 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe C:\Users\Admin\AppData\Local\Temp\tmpA6EE.tmp.exe
PID 3220 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe C:\Users\Admin\AppData\Local\Temp\tmpA6EE.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe

"C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nlp8tory.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA856.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17F71ECD5EB545179B2370FFCE41B734.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpA6EE.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA6EE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\389715c475e4a8307f5c32702b6bb5cb0fe8491cb0e89868fa4b3023b48bf9ec.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 13.107.246.64:443 tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.201.106:443 chromewebstore.googleapis.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp

Files

memory/3220-0-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/3220-1-0x0000000000B60000-0x0000000000B70000-memory.dmp

memory/3220-2-0x00000000752F0000-0x00000000758A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nlp8tory.cmdline

MD5 c65ef368039ae2dd652acf73746a7628
SHA1 8731616bb0d90a01b6bc94fac0130d930e2deb7a
SHA256 b42e4e33a29f63567f46867247e3431761ebb283a590b873934204bc8845be45
SHA512 e909f0f0d4c87169cdad804c2a53221eea32365e5adbd00dc62855110af19f0744353ee2e9a473ea66b7ebb185004d015ac059374a0dbabb1aa8c11e45f3f6b5

C:\Users\Admin\AppData\Local\Temp\nlp8tory.0.vb

MD5 ec13382cda8868d51e3eac201099a986
SHA1 0dad3f139d35a606096a1344675ca214490d470a
SHA256 31dde1f13e96a4d06f76e9c8e7b838c3de8c8271708f9888461207c7607573b0
SHA512 f8172bf03ec1ef324224a434f6daad801ae46b393baa0ff21e1e81b409d2676e1f9b4423a515aecf55181eb26ae3064de018fb1e19356a9bea88c785a5b51b0c

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbc17F71ECD5EB545179B2370FFCE41B734.TMP

MD5 6aa45780170bff771f9283d0fa336bf1
SHA1 e4386eabfb6c93d1839d89ec05ffce6f5834fb06
SHA256 0ab6a7dc3bc7c4005d5fd1634112abc8fa90f15e1e9068ae2aaa9452001bc35f
SHA512 22846bf40b3a8ba2f035d4b5dd89fc8380138d6abdb162f1da6ce15208bffa03c6c5fb25feb893c48d914c7729b83d9cf84fc2f8c2850ce6389e7f890fd8d868

C:\Users\Admin\AppData\Local\Temp\RESA856.tmp

MD5 5fcb86efbdad81eb8488dc51c6aee88d
SHA1 a03b0e45288a226010cbe547c98f8141e47c62f5
SHA256 b6a84e6108d1c59cc257e85ad989d3d91b67f4059bdb23aa3a473d138f8e95e4
SHA512 df88c23f690c8eedf22f9d1469b5fc9a64b10c49214bdeed36a0f4d6d98316966ed36cd7d35fc4805e8285b8e512703424d8c4d8fe23a3a655c0cbe6d25b40f0

C:\Users\Admin\AppData\Local\Temp\tmpA6EE.tmp.exe

MD5 b1ad65a6aaef85c6efe22b84bbb8732d
SHA1 91ad6668e99b72cddf721955c307fe67cd26ec51
SHA256 0a333bba409c20e019f59fa8b1eec93ba11c3ac0fc366d5f917148d1d41033bd
SHA512 8e3c3db213d23bb033914405f9a6c4c7d0be2cd5eedfcfdbbab578dec9afa47be7f8bd1c3a75bcd01628369dea80f75b89f67648527e79bc35b058a3a6d60993

memory/3220-20-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/3824-21-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/3824-22-0x0000000000B00000-0x0000000000B10000-memory.dmp

memory/3824-23-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/3824-25-0x0000000000B00000-0x0000000000B10000-memory.dmp

memory/3824-26-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/3824-27-0x0000000000B00000-0x0000000000B10000-memory.dmp

memory/3824-28-0x0000000000B00000-0x0000000000B10000-memory.dmp