Malware Analysis Report

2024-09-11 10:23

Sample ID 240717-dcw4lssfrp
Target 56fda1a225279bc1a477cd3f82fd34a0N.exe
SHA256 662ae2b794e8775927d6f8af0d7df19514dd2e3958db545dd048f2b79d4dda6d
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

662ae2b794e8775927d6f8af0d7df19514dd2e3958db545dd048f2b79d4dda6d

Threat Level: Known bad

The file 56fda1a225279bc1a477cd3f82fd34a0N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-17 02:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-17 02:52

Reported

2024-07-17 02:54

Platform

win7-20240705-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2496 wrote to memory of 3008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2496 wrote to memory of 3008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2496 wrote to memory of 3008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2496 wrote to memory of 3008 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2180 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp.exe
PID 2180 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp.exe
PID 2180 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp.exe
PID 2180 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe

"C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2wwl0clx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D87.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp.exe" C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2180-0-0x0000000074161000-0x0000000074162000-memory.dmp

memory/2180-1-0x0000000074160000-0x000000007470B000-memory.dmp

memory/2180-2-0x0000000074160000-0x000000007470B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2wwl0clx.cmdline

MD5 831484d493db3a3858c58465458c75d3
SHA1 d79b7bada2537ad14e3eb97e23987f2cbd28581d
SHA256 6061dbd90babb165baaff7f75ecfd00391138dddb4fb763836603721d8d7c51a
SHA512 228723683b504eff2c31dfcccc76e4b103b84856fda85a4dc262d493d31a4d199c0333f8963d7b2d78c52e81aee8df8a69fcae8916a63432898db87ad5d79261

memory/2496-8-0x0000000074160000-0x000000007470B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2wwl0clx.0.vb

MD5 d243e73a90102ec91eb37ce01f3067d5
SHA1 0bae02e6b06484dbc05747b7da97fd73135942cf
SHA256 11bb501db250ec8fdc6e401039ae8183bc00c335bab0affe86d952d7f18a8fca
SHA512 b7e9c2671e367454e7781070a60567b1fcd4360fd264e72c0139a847c753463f47c2cd8725e4e3e182690b9b58e124e480ea02279f75012de6c476d44be8ae18

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc9D87.tmp

MD5 9bd54e5929e6a092c96baccae22c2588
SHA1 ec0e8a3eb472b2d964e01d4cb02bdbfd97ed3896
SHA256 45f3b0f72c29d06b8bad3935ae4db1acbad0c5272ca736601eec203691c8e849
SHA512 9b2686a91437428eb0058c46d024ec89f514be8fc23b7f36dc62c73b93d7d3b2edd0daa8d6034b8c479c57ad4f4d12daa097f450fef309d4e387f5c67f53ca28

C:\Users\Admin\AppData\Local\Temp\RES9D98.tmp

MD5 eecd4a509af43bdf12f1dded1acb23a1
SHA1 b018bee0d1af1ff85bbaf375f1ff71e656a8f230
SHA256 bdeb4cdcbdd7ae4d47074996481f6f743341b3a11c5d053758561a7a37bdc958
SHA512 8e6c71f307f63dfd16e71c818bcb4c5bfd3afd533bc15740e6ac40e60d2f84b75af53dc071c17f8a92dc0212ae3bc9397ce7bde1e0fb8e6456a5c3858c7ac407

memory/2496-18-0x0000000074160000-0x000000007470B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp.exe

MD5 948910d9b4ab2f0816a5c8643f9ed5e1
SHA1 ebf10c8ee97e1acfb7c02a52709d0727d0a170b1
SHA256 afbaa29d80627c88ecc0aeaa24223b851546245958d65947e9e9dc40d063f124
SHA512 f0e5e1e42e6b20ec34fd886264c18c478093d12d616add8d4b74554d20d9a0b80fbb85565d6d3e952cbe685b0e14df4683b4443d55d55da449deec0785fb29e2

memory/2180-24-0x0000000074160000-0x000000007470B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-17 02:52

Reported

2024-07-17 02:54

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4696 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4696 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4696 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 464 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2752 wrote to memory of 464 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2752 wrote to memory of 464 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4696 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.exe
PID 4696 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.exe
PID 4696 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe

"C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\idoncn1a.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD246494BF4D44482A034A1173C3C98.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp

Files

memory/4696-0-0x00000000750F2000-0x00000000750F3000-memory.dmp

memory/4696-1-0x00000000750F0000-0x00000000756A1000-memory.dmp

memory/4696-2-0x00000000750F0000-0x00000000756A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\idoncn1a.cmdline

MD5 8d1ced5a993fd2eb7bc8bea9c7813b25
SHA1 f6baebc60814266a0799bc72a4a9a0c757d64346
SHA256 85f1f0b8ae0a32075a9f761fc27587e6fbd4e39b697e518e52f76f734d94b079
SHA512 b36bc4602784b1ca5570d95e14403fe577495e9078366900202aa64ca8a1594470f14bb61ad6d7cc8e121b1afc8c633c591e49ecfd50a867c5424686ec00fed7

C:\Users\Admin\AppData\Local\Temp\idoncn1a.0.vb

MD5 4fe832a34dbf8b56e644500eab069feb
SHA1 bc8c1219dc0ff4ef56b6a406b63649d12000230c
SHA256 842237ea012d711b84756c1642d194fa34107c3e7f98c3fc929aff3383a9f64e
SHA512 304ebfada44e38fc5711acbf0efa94b1d49b2a5fbdf99aba230bcdd0b5b2415c79cf746595e83a5ca6d5906c97ccec658bcec3daf3a05e45df6a1f7197c68925

memory/2752-9-0x00000000750F0000-0x00000000756A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbcD246494BF4D44482A034A1173C3C98.TMP

MD5 e1efbb7095f3bddfdac0465aa4208f97
SHA1 b03d989a200c8a36d54288e216d595a72a89bd66
SHA256 9bf9faa3254bde28eccc92e45c58c05b2c6a438ab87c1a145e1127999e220ea0
SHA512 ea2a8f58bcb39d75cb9f268c622e01efbc7951b5d7b8394cb951a58c68dcdc706fa4bc970e87b36587d86c82d157c05c21c341fe08347c8deb05af60f7391f00

C:\Users\Admin\AppData\Local\Temp\RES5F37.tmp

MD5 730e6d1d97b52ea2eefda626fe327303
SHA1 08759df5234f97b9a1490facad661f69aff18c3f
SHA256 f801334c7e2edcfce47b54e56dadf6a2ef4573731b273cbf6bd2944c86038bbf
SHA512 35648a4f5e99d618cc0c1efeff2645005cc9b4a79a03546ac84ce70199f0d2bd693ff055d3290d5f1f94998a6aef5eab03568fa0c323090c2d342a4c1d00abad

memory/2752-18-0x00000000750F0000-0x00000000756A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.exe

MD5 9cb6c77df4a94aaf2f201fddf5df7fb7
SHA1 6af721d47f162c554fd9791ca9036520c8a5f6bc
SHA256 d80253bfd652c85dbbc8af45785294bf21d58e91a3112165cbe3d5dd84887642
SHA512 21c09496999960c314025425694b33ff42baf0dd47c7d9572576411c0963f8f049154ca507edb985b96e981c47e3103aaabcbe491ad957bcfa047dbeb11a83a5

memory/3284-23-0x00000000750F0000-0x00000000756A1000-memory.dmp

memory/3284-24-0x00000000750F0000-0x00000000756A1000-memory.dmp

memory/4696-22-0x00000000750F0000-0x00000000756A1000-memory.dmp

memory/3284-26-0x00000000750F0000-0x00000000756A1000-memory.dmp

memory/3284-27-0x00000000750F0000-0x00000000756A1000-memory.dmp

memory/3284-28-0x00000000750F0000-0x00000000756A1000-memory.dmp