Malware Analysis Report

2024-09-11 10:25

Sample ID 240721-zx6z7svcle
Target 0ef77e7056e91bce5f9c70414b10c470N.exe
SHA256 82facf63fe64f92f5c0ad240a0525faf0561691dbb6decd790d49a5a8eacda47
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82facf63fe64f92f5c0ad240a0525faf0561691dbb6decd790d49a5a8eacda47

Threat Level: Known bad

The file 0ef77e7056e91bce5f9c70414b10c470N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-21 21:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 21:06

Reported

2024-07-21 21:08

Platform

win7-20240708-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2616 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2616 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2616 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2616 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1988 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.exe
PID 1988 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.exe
PID 1988 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.exe
PID 1988 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe

"C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5mo7oyhh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C18.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/1988-0-0x00000000742D1000-0x00000000742D2000-memory.dmp

memory/1988-1-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/1988-2-0x00000000742D0000-0x000000007487B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5mo7oyhh.cmdline

MD5 d7092ffff86a90b4dff670f4d3b4e537
SHA1 7455211a43d32a1dfa0f3d7013fe92c3785bb879
SHA256 a21ba79009ddcf82f766fa63235c7bcece32267a432906c14e1967d8f7a2faae
SHA512 4d582f62affc6628d7bbbe2547ce74609d5ecdfdfe1cfd8224941efd2b4c72b3fc0928599ea192a92e8350ca2fadeb73e9ff441f32c0371ae0f82c60d57ab350

C:\Users\Admin\AppData\Local\Temp\5mo7oyhh.0.vb

MD5 d051820c57e5d87390647929820572c8
SHA1 a6e950b15c90a47c13c8dd8783b258a4fa589d5f
SHA256 6e3a1bcd76d49a659af67f40f82dcff58cc90d514bbf68a834dcc0c01aed2119
SHA512 f439d0f4e5c4c5b77c1f363819a8d0e5a9340d80182dbc83fc91817420ee831a3ac53748ad9dd88c59effe83019f0ad4e091747d08a8e7d36cf8dde6f28bf166

memory/2616-9-0x00000000742D0000-0x000000007487B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc1C18.tmp

MD5 52053116653a3744576b6a6df769a6c8
SHA1 f7d25d23047ed4bbe221d4d00cb1fb922f476685
SHA256 590875e7890231bff52f2e97b67a4b3facd450b23292d422d1498308afbd959b
SHA512 1ada1ca961d24c5b679aaded00ce987c1b14572547080fd484c0c51c83a37125015322a09e7ed42fbc76cafb3ce18219c77bc1cd1d022bca781a157bb0ec8eb3

C:\Users\Admin\AppData\Local\Temp\RES1C19.tmp

MD5 c77dd19247d633aacd168e2ad7b82cb9
SHA1 e0a53099ca2673fccb819db5cb2fe69ccfd2281d
SHA256 1df029c42f2d82173f35492eb7dfd2df63167d12e21f3d64979e4a90ace35670
SHA512 15048acc61b1b9be24bc6643d4c825b21149af4962bbdfb593faa7fd687a7964abca987ee82958d121ecaba3be00fb1546373a674334211a497d525f7eefe4b9

memory/2616-18-0x00000000742D0000-0x000000007487B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.exe

MD5 01adc36e881b1d055c7f550d4273a391
SHA1 2f1b13bb5301dbba8d953504890fa08bda0f347b
SHA256 4bfb6732f81315e0fa40c5c502fb966ad7aded3d50d60dffa475632c3471f088
SHA512 356e2b44b4b74aed5e1441682e24ce298199bfc6b9664b3e80fa580793d0040a352aed367562e1f3ebdc6d7011dc84c1cda8583d765c9fe21c7d4a6179dcaa11

memory/1988-24-0x00000000742D0000-0x000000007487B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-21 21:06

Reported

2024-07-21 21:08

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp971F.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp971F.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp971F.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3720 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3720 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3720 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1836 wrote to memory of 1296 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1836 wrote to memory of 1296 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1836 wrote to memory of 1296 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3720 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe C:\Users\Admin\AppData\Local\Temp\tmp971F.tmp.exe
PID 3720 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe C:\Users\Admin\AppData\Local\Temp\tmp971F.tmp.exe
PID 3720 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe C:\Users\Admin\AppData\Local\Temp\tmp971F.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe

"C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sfuiyvwn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7FE27E7971F4E48934DB59F2BA7A3B3.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp971F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp971F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0ef77e7056e91bce5f9c70414b10c470N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/3720-0-0x0000000074A42000-0x0000000074A43000-memory.dmp

memory/3720-1-0x0000000074A40000-0x0000000074FF1000-memory.dmp

memory/3720-2-0x0000000074A40000-0x0000000074FF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sfuiyvwn.cmdline

MD5 a53f6fc523a6159228945059654dbc34
SHA1 11b58d8da2f2ebc6fd534ce343eb535347f71a7a
SHA256 8251df0a530e69bb36a5b57d80ed040534faac308c45df3d9041a0e42372fc6c
SHA512 78792b4b574a3168773970c80a9cd594b06d13f3e069f41c054b88b488709fb97c82d88f82cb38ce3d7da4dced387a1b842af5c37d04efa196ac5c3de9beac54

memory/1836-9-0x0000000074A40000-0x0000000074FF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sfuiyvwn.0.vb

MD5 f70b737535a2f824016b0998f59604e8
SHA1 3081bfe39eee97f00b046a77422d601da84a409c
SHA256 38618d7cd204ac3de250bc0016ebc0fe9a3c4e5592ffc7a66ddd8ce2f04b0e86
SHA512 69f37a7796d6422e6582083749ef4532f3a33d5fa994aa64f6a9dedd9406478e0effee4f88ba5a966623773cf32286d0dd6465ee5cac645b16b5f6393eb7e8fa

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbcD7FE27E7971F4E48934DB59F2BA7A3B3.TMP

MD5 922b54e33eb3783edd463d32b0ad6f44
SHA1 a0be1a49f45c8e35aec02183147eeccb848c786b
SHA256 e486bb3336244c771520c9c9ef763fb518bc8fc3e1712ae37da70fc9db0a13a7
SHA512 2ae29898000e7bc898f1963d240b552ad92592cdd447ec18b8135523ce07500035df7aa9a8f8327b4861582e9e2185d7ceea63eb6820b9d132698595d3a5a8d3

C:\Users\Admin\AppData\Local\Temp\RES97EA.tmp

MD5 20f72fd885eb43eeb2f3ff6cf65191b1
SHA1 08b186e16762ec4e1d05279ff9c995de25b8c4fe
SHA256 8abc176c146273e336cb4c16cc30350906eb4f9b79a9c9d1eedc4155b3ba9917
SHA512 124549aca89f79a6284ed39d4475403780bc78b531636dd2e50899b67df2f6929bdcf779f7dec7e1b4a269f9c52727ef3e87a9528bd01c8b01796b9e4517a34b

memory/1836-18-0x0000000074A40000-0x0000000074FF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp971F.tmp.exe

MD5 aca15e5b63d89dfbc0b41d089bbefe8a
SHA1 ed5afce791187b0277d6aedc2cde475bcfe489c7
SHA256 d7ef759a179ce9fa60daa5393221617e4a34ecb8783f82eda99fe82be3222f84
SHA512 3315774afcd2dbdd0db07cb02b62e74d22fdbc37368bfb301da00d50fca6e4e4033ca780565887f713f12cb1b814074857e360a8691747b58cbb6c94dc458156

memory/3720-22-0x0000000074A40000-0x0000000074FF1000-memory.dmp

memory/2004-23-0x0000000074A40000-0x0000000074FF1000-memory.dmp

memory/2004-24-0x0000000074A40000-0x0000000074FF1000-memory.dmp

memory/2004-26-0x0000000074A40000-0x0000000074FF1000-memory.dmp

memory/2004-27-0x0000000074A40000-0x0000000074FF1000-memory.dmp

memory/2004-28-0x0000000074A40000-0x0000000074FF1000-memory.dmp