Malware Analysis Report

2024-09-11 10:24

Sample ID 240722-xlp67ssdnf
Target 1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0
SHA256 1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0

Threat Level: Known bad

The file 1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Deletes itself

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-22 18:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 18:56

Reported

2024-07-22 18:59

Platform

win7-20240704-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF344.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpF344.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpF344.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2712 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2712 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2712 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2712 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2632 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe C:\Users\Admin\AppData\Local\Temp\tmpF344.tmp.exe
PID 2632 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe C:\Users\Admin\AppData\Local\Temp\tmpF344.tmp.exe
PID 2632 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe C:\Users\Admin\AppData\Local\Temp\tmpF344.tmp.exe
PID 2632 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe C:\Users\Admin\AppData\Local\Temp\tmpF344.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe

"C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ohncvtrf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF420.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF41F.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpF344.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF344.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2632-0-0x00000000745C1000-0x00000000745C2000-memory.dmp

memory/2632-1-0x00000000745C0000-0x0000000074B6B000-memory.dmp

memory/2632-2-0x00000000745C0000-0x0000000074B6B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ohncvtrf.cmdline

MD5 739e67dc80ebebd1aaa840ea39647bff
SHA1 b0ec0b061222ad159a6372c8144cfc281ae15634
SHA256 99db3e5483a657998eabbe15c640d9d9913443e267c8025803806208779d95a1
SHA512 93d8b02ab557356d92643039018c46214bdbc1293acfd5e5f7d687b3772bfd75afe34dec6c6b482c942ca567531ae758854bc61b7a475c1460a9e2bfd09528d9

memory/2712-8-0x00000000745C0000-0x0000000074B6B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ohncvtrf.0.vb

MD5 b86706b55a03ab75ebee846491025c99
SHA1 0a0d5eefcf811fa4b178a1724592a83e1e4b2dd7
SHA256 d67a39912c1ac0db4a614215b273ca357b21530e08e49a6a959917b1ff70f56c
SHA512 f45c51ac5998db9f72ff68c1009a87cefb9c4bc99813daa6dae8ef82bb9e6570a4b694c2e819b927cebd28ff7db64fd9aee341a29ea01d6699a19498c25be335

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbcF41F.tmp

MD5 33c4afdde2fcc7fbbc6966408f13d1b7
SHA1 c51af7bd275286cc57eda443204612eb0043401b
SHA256 7922929b23112a8ab6e4341d036d65747b67b5100c91f5d05dd560b9ac7d193f
SHA512 1bf01452449040ca82be1f63e5c6f080389f1e6dd0a0f5fc0882f77f9593d99874c5fff6693c518b7b896965e041d19680337a8fae70b4504e234c5abb3ce556

C:\Users\Admin\AppData\Local\Temp\RESF420.tmp

MD5 58ee8f747294f3ffda17f1647b010f32
SHA1 10f0bae1918dce5a7c5b56ec6c5a6935db2d32a5
SHA256 8e8217810ae11dac2ff699967dadb6a82d984f7f4f1bf3e988e91b836eef5a74
SHA512 ac9acb08d65068512f7316210db248b8885e313dbe01f507c7e4fd27c9172ddbc3c507a2d7f04fc07748642ce87b86d3948c25dfb5a59481b3bd0d80d1c69055

memory/2712-18-0x00000000745C0000-0x0000000074B6B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF344.tmp.exe

MD5 389cc8afce975eab977e3eab7dc651b4
SHA1 e9494de879c80fa03a2e1a713cebce624e5b10e4
SHA256 e7ec39e6bdb3bfa3779f60410e3ec0563403eabb266a2841e846d2737bbac025
SHA512 850652dc851f9f15e5912296752935131991b919a3209fc016c1489735df572386e2c51b61ef38edd2e41b9a0b8ee1e929ce6a1a4769daf00bcf8c5eeaaf7cd3

memory/2632-24-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 18:56

Reported

2024-07-22 18:59

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4832 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4832 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2184 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2184 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2184 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4832 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exe
PID 4832 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exe
PID 4832 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe

"C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bkyzu9v5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC18B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F5935E293E4DD68C2BCDBB9DEAA4.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/4832-0-0x0000000074762000-0x0000000074763000-memory.dmp

memory/4832-1-0x0000000074760000-0x0000000074D11000-memory.dmp

memory/4832-2-0x0000000074760000-0x0000000074D11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bkyzu9v5.cmdline

MD5 3f1b759e9be1ef0d102eb999bd8dc4e6
SHA1 d4121d00af8ba6e4769f1ca02b6bc15d7a5115ff
SHA256 f9016cb79596ffc162a9e43359b343904d48b1e43ae3bf5e7ef8efc26dfe354b
SHA512 61285f1fc5c856a227f7398df9cc3cfe73b0764c42ee4f28dd6db227781d903ecbbe8a41f626c12bdca00d94ea1b3c3d3518f8a217b64a81f5c9251d759c3d66

C:\Users\Admin\AppData\Local\Temp\bkyzu9v5.0.vb

MD5 8f778391b1234b4e3bb9c0d959b6e8d6
SHA1 65a65d8bc52fb6b0001a27763ebad00a6c38bc44
SHA256 229a1905faeb8cd8e68ba6321e2cbf7a86cc180c166c3fd5bf793c1ed7618aba
SHA512 80bbffce44d1fbf1ad7f87b0ee199b47891fc6e3899803b2760d9c0ec8829e7479664193cc083dbe32eb6697f5e7a8a8337d1dda43896fc217ae9b822fcefad8

memory/2184-9-0x0000000074760000-0x0000000074D11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc6F5935E293E4DD68C2BCDBB9DEAA4.TMP

MD5 5ba9f4cbc96ba3097d284292d045c7da
SHA1 3ef23512a501a43dd06dd40922d88f57b3385b80
SHA256 bf325084b67bf5ec8755dc57ad7dcc03a41ec8a0a8b51104700ed80e4988bea7
SHA512 6aacf2ef01bde92e95dacb5df3d2a60f95efdfb9c540a08f1ac8df4475e945d9f99df5b213f99da1636034aea69299275c6da7ecc7a5c02e9470e0e350992dd3

C:\Users\Admin\AppData\Local\Temp\RESC18B.tmp

MD5 7c2c5c8589e2f22456390bd8f1b9ee48
SHA1 8ecb1ed3b82a8ebe5ca813e776002a377eb9fc41
SHA256 f0f6ed3e5860daa0809e511f30f77697d9cfff9723e8420b5cde689dcbf76c8e
SHA512 a454f988857a5707c17550c6d5c66bebd0c5da16b4cced011ccaab1dedce5ac6c311947728b883ad21803ae6ab034254e7f64c85be1380288842fbc08cf18361

memory/2184-18-0x0000000074760000-0x0000000074D11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exe

MD5 77bece14d2fc91bb861648c99f856c10
SHA1 93d819e04c290002f77cd2b14706f5fc3410c297
SHA256 ca479aeefc42f7dd4358cba7d44227e934370b378598aa0d73f362e1307ae16d
SHA512 30d07ee917786efe4ef1c3d4d82018136968a32b991a645151304e1be3bd66e6802fbe4c992f5c703bb372af0b964076fdf67f7a6b3a9e32bc447fdaf378cbde

memory/4832-22-0x0000000074760000-0x0000000074D11000-memory.dmp

memory/4088-23-0x0000000074760000-0x0000000074D11000-memory.dmp

memory/4088-24-0x0000000074760000-0x0000000074D11000-memory.dmp

memory/4088-26-0x0000000074760000-0x0000000074D11000-memory.dmp

memory/4088-27-0x0000000074760000-0x0000000074D11000-memory.dmp

memory/4088-28-0x0000000074760000-0x0000000074D11000-memory.dmp