Malware Analysis Report

2024-09-11 10:23

Sample ID 240716-ylyc9azfqg
Target 0002bcc0491b271edc25aff61de80f00N.exe
SHA256 e487ec7bf8779743f7c733d6fb79c189f9fa84186a9782a2f1576b7a3e484243
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e487ec7bf8779743f7c733d6fb79c189f9fa84186a9782a2f1576b7a3e484243

Threat Level: Known bad

The file 0002bcc0491b271edc25aff61de80f00N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-16 19:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 19:53

Reported

2024-07-16 19:55

Platform

win7-20240704-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1F44.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp1F44.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1F44.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1996 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1996 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1996 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2484 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2484 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2484 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2484 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1996 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe C:\Users\Admin\AppData\Local\Temp\tmp1F44.tmp.exe
PID 1996 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe C:\Users\Admin\AppData\Local\Temp\tmp1F44.tmp.exe
PID 1996 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe C:\Users\Admin\AppData\Local\Temp\tmp1F44.tmp.exe
PID 1996 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe C:\Users\Admin\AppData\Local\Temp\tmp1F44.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe

"C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_girkcpn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2222.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2221.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp1F44.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1F44.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1996-0-0x00000000749A1000-0x00000000749A2000-memory.dmp

memory/1996-1-0x00000000749A0000-0x0000000074F4B000-memory.dmp

memory/1996-2-0x00000000749A0000-0x0000000074F4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_girkcpn.cmdline

MD5 157e5dd65c28870a94273a0606c2767a
SHA1 ffb5589dce46f903bd076b01c36bc2955a951d27
SHA256 cf318de772047621a26ad710092a915718eb3e6d0b0dc44434c5c1a07cf77de0
SHA512 05e66265236e046a2d9af85701fdeffe1f993761940025acbfaf1c4f71f42d6ed9427ed9379cb78c44e5dace23702a5a96b632e3696fa95cd2e475b6049198c7

memory/2484-9-0x00000000749A0000-0x0000000074F4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_girkcpn.0.vb

MD5 d0f5163def0d4686de6ce2c1a62a5d9e
SHA1 77e072cb6281d495c1e9c49c81d2226bcb921a81
SHA256 e6298be1816407a418e8ebbc7a2da348825f9efa9cd255e8f31ea7f866cbdc5a
SHA512 54fc42ae4f7e0d3dff6a2737a8b5683a8d40c8a14dce33d9cfb47aae6cdd1a35f351d171a327396fbd934bf3813ff301cac952cb2bd923e3d33e301bf0ace3b2

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc2221.tmp

MD5 160009c71f443c319cf2dfc3fa266c6b
SHA1 e1467a03914b95a8539d5814719079fa5da67ebf
SHA256 e0eabff6a8b2f8b07935621556b629ba8fb91d0f88d196c611fd9850641aaed4
SHA512 57330b490a951d2e2d9e2064d2781e88948b8e72d247012cd17a9e6bc5eaa901c382b410aca1a24a3fecc5df47d8947793a19cd5874ddd5e2b0cf84811a5d8b0

C:\Users\Admin\AppData\Local\Temp\RES2222.tmp

MD5 41e81242535f34b05ea4308492317f20
SHA1 9a1bbf3d7d1f4965aa1337492f47890e47eea709
SHA256 518eac1348510baf219c9c3f786fc6b30e76bb9e142e4283936b2a64bfe357b4
SHA512 686f15f8eb4302cb08a440d71889891a0390aa0110ac1694b9acfdcc4b6d572973b5cc71c801ae78c610de8deadcda6b666cc98a360c4628583cfcc7ba2e45fc

memory/2484-18-0x00000000749A0000-0x0000000074F4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1F44.tmp.exe

MD5 e50c66277e6d2c4e3f7e2564469f43a6
SHA1 132033fd86c467e7da212cc68d6c9d8359cc6e98
SHA256 c30f1fe733eed4a32b4830c78d47eb990e0e0f9b72c4ef469026d1497e8d417e
SHA512 ac68c729be3ac2973bd637e18010f782ccd7b90696927b8b3800d76460ec43c33803abebb93518155c823cc97fb11a109c7150cee3128dc5a6797ab2dba78fa8

memory/1996-24-0x00000000749A0000-0x0000000074F4B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 19:53

Reported

2024-07-16 19:55

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 744 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 744 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 744 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5028 wrote to memory of 2340 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5028 wrote to memory of 2340 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5028 wrote to memory of 2340 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp.exe
PID 744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp.exe
PID 744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe

"C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jnatxnye.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB82D3E0314C4826858B71D84BA576E.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0002bcc0491b271edc25aff61de80f00N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/744-0-0x0000000074C02000-0x0000000074C03000-memory.dmp

memory/744-1-0x0000000074C00000-0x00000000751B1000-memory.dmp

memory/744-2-0x0000000074C00000-0x00000000751B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jnatxnye.cmdline

MD5 cc0d94264e27f5094dd67c4632512fed
SHA1 a488f85222e864e7fd76eccb6981af6401a7a5f6
SHA256 970876d5bc12520663e1de7e0c8cba8e08348e752b8471ff09f9e7552e0f5ebd
SHA512 02db3ff41385cb7e745067f3accb38a3ee7763adce09a91476e61737b6e5cedbdc1a23bc92e7e9138a65df388b95f1267e25e2fe91cc515f0001536e8bbc16e5

C:\Users\Admin\AppData\Local\Temp\jnatxnye.0.vb

MD5 69945620ea1e15557ebb0778e108ea63
SHA1 36b8d9ffc5eab17ca0a3fd871886d1decf0c7a41
SHA256 6869fa6efcc4435dd74a0e82ba6c78a83e4ca25a94866394bfaa39b1fd0aa694
SHA512 661590ed792ef7e9288eb645d58ea4dea059df89ac1d61cd702cd09490ef868a0e170c4be28a686c90a5fc22a8f8bb6bb6c954022de6e032df065a84ae742fb1

memory/5028-9-0x0000000074C00000-0x00000000751B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbcFB82D3E0314C4826858B71D84BA576E.TMP

MD5 e8ebb6656dd1155314dfeb21f1f2da6a
SHA1 e6efc86a051b1e9d03febfa6bfcd1ab3af58c60a
SHA256 1bf7141b67e993deb2101421dc3bfe8bbfc785f953871b81813df3095e8b0bf6
SHA512 1912a627e5c05ab4f3fa9767c1aad9c44211cde7d4dbcb28c502f383f63824e9a859f0cc35aed182ab198e68ed6b9654719a28eaf38d5bd1d4a87accad6ad455

C:\Users\Admin\AppData\Local\Temp\RESB1CB.tmp

MD5 e6687c99d663575a61d4e8d7343d17a0
SHA1 22f108a1aa30b37a58281c7462f76d852495b7b3
SHA256 65a923b6e2587c9a13197d6d7f7fa3e762210639e46570e38c0892848daaabff
SHA512 bbe299be7d780d1a50f8fa16e6b4208d76508f6e3c50cc1c9c7da678b9092003a5ae1a0542330cac23944eaf890b808e3c0667ac289f4c7a2f089ba3c7599f28

memory/5028-18-0x0000000074C00000-0x00000000751B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAFF7.tmp.exe

MD5 5e6dbd2279c5bf4c61ff86a6a51e174a
SHA1 8aa30a1ab47d328cc07acfc08f24c8e0d82474c7
SHA256 9c826dcce1367aad0f268c9352a62892898531544106053b711c8c6b0cfee4bb
SHA512 301f22bac294c85812d99992ffbb66e0aa6a6436fefce8b61b64ec5e1b38a707a13d34714a1d8a4666c20eeee9343292aade897eb6bc460904f2bfb5200f81a5

memory/744-22-0x0000000074C00000-0x00000000751B1000-memory.dmp

memory/4924-23-0x0000000074C00000-0x00000000751B1000-memory.dmp

memory/4924-24-0x0000000074C00000-0x00000000751B1000-memory.dmp

memory/4924-25-0x0000000074C00000-0x00000000751B1000-memory.dmp

memory/4924-27-0x0000000074C00000-0x00000000751B1000-memory.dmp

memory/4924-28-0x0000000074C00000-0x00000000751B1000-memory.dmp

memory/4924-29-0x0000000074C00000-0x00000000751B1000-memory.dmp