Malware Analysis Report

2024-09-11 10:24

Sample ID 240725-gtgxsswamd
Target 86ef2a66c72c1d358578f09b15ae4dc0N.exe
SHA256 62fff19daf26f0eabeb7f64b8261ce206b5568478bf26e56d49b7c6ecec26feb
Tags
discovery persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62fff19daf26f0eabeb7f64b8261ce206b5568478bf26e56d49b7c6ecec26feb

Threat Level: Known bad

The file 86ef2a66c72c1d358578f09b15ae4dc0N.exe was found to be: Known bad.

Malicious Activity Summary

discovery persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-25 06:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 06:05

Reported

2024-07-25 06:07

Platform

win7-20240705-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2772 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2772 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2772 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2560 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2560 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2560 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2560 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2772 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe
PID 2772 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe
PID 2772 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe
PID 2772 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe

"C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ts34c9pg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7FC.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/2772-0-0x00000000743B1000-0x00000000743B2000-memory.dmp

memory/2772-1-0x00000000743B0000-0x000000007495B000-memory.dmp

memory/2772-2-0x00000000743B0000-0x000000007495B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ts34c9pg.cmdline

MD5 06020ad8f4269f44e3a8b29349c068d7
SHA1 e8324cbc2c9e7c9af56520ee9f248aa54b0ab51e
SHA256 cad663a3623e1414517ae38a74dbbe239e1199d2d1c98219d1bf25e4d133637d
SHA512 5cb6ad8640f3da997ff802fdabf0c7fb814a6664b13543c730395f1da8f5df3e9b7164d64c31cf469f5dd77c13430fd07cc9ab1bd9339f99c2e54317cb3ad7d0

C:\Users\Admin\AppData\Local\Temp\ts34c9pg.0.vb

MD5 a2e80cfae374b87aba44a6fbb10fed90
SHA1 deb0a4f9c757c80bbe0bf3fec1dd614913959ec8
SHA256 724efa82ba8b15e2b7800d0e378d915a90267216401901c190eebf8f1287c84c
SHA512 fd02a0490d14373048aa39238f7cc87acdb69e765645695cc6d180ead45e0760ff3d0ae5f41350aee00b5ce676c8e1bddf248546fd127350e2b3e39313374e32

memory/2560-9-0x00000000743B0000-0x000000007495B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc7FC.tmp

MD5 13919ca909b3c480200a1541961ef351
SHA1 53ebe955f84b543d17eac71d2421414f3a620a52
SHA256 599a0159cd645ca31365dfd70d1e26f4819a5a547f210c6261f18a85e82ded35
SHA512 af57a372e925940cb61e91699a42a571599ed8da033cf2f9dadd436154f6200a84d2ac1db2a7d4f51c2bc1a634b200040856c222e299eaf5ac0a03150d651fd4

C:\Users\Admin\AppData\Local\Temp\RES7FD.tmp

MD5 cfcf918589824c4dce9d57f2faa458c6
SHA1 6df0fe99f1a6cd7c24b6fb258ca94e560f99b1df
SHA256 63ced3cfca33ad67e92fa7f969ff1ee1b3eaa2b3a22d6e1430e4eb83cc7796e3
SHA512 8c9dcf8dd6613bc1fc8fcb116ff1c4c3c754112e8ba0f03ecc95389fea02e913ffed9b64f03678c150ad855d7f915778ba68474a68a7f3683c5aad2de1e9c738

memory/2560-18-0x00000000743B0000-0x000000007495B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe

MD5 b0e56cf6c4259a9e55e4684871fb7c8f
SHA1 2fa49530943b0c97544aa6b2c24baab6c9d361d8
SHA256 599ec679fe77d6148a934ff7b2c0c8b4806a3652f304a257d0d7382e6e9043a3
SHA512 e7d0a78176c0ac500f169cfa66ce365db78a31ce8f99f42bb35af27290671bb4f591a37f0f9808f05d731236ee9ba882bede56291b71068776f68989057118e3

memory/2772-24-0x00000000743B0000-0x000000007495B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 06:05

Reported

2024-07-25 06:07

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp827E.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp827E.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp827E.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp827E.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4756 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4756 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4756 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1220 wrote to memory of 3144 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1220 wrote to memory of 3144 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1220 wrote to memory of 3144 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4756 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Users\Admin\AppData\Local\Temp\tmp827E.tmp.exe
PID 4756 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Users\Admin\AppData\Local\Temp\tmp827E.tmp.exe
PID 4756 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Users\Admin\AppData\Local\Temp\tmp827E.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe

"C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oclwcmj5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4AA8D4E49F3D47938168462F8634E78.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp827E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp827E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/4756-0-0x0000000075442000-0x0000000075443000-memory.dmp

memory/4756-1-0x0000000075440000-0x00000000759F1000-memory.dmp

memory/4756-2-0x0000000075440000-0x00000000759F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oclwcmj5.cmdline

MD5 4208fde24fd65bc29771d23d059e9060
SHA1 ad9753147c9c6255e7444d335bbddb02171528c9
SHA256 a0b197d4c9982fb083cf9dade170ac41fc228d89f0aa71340a1b2726d5849c04
SHA512 9dbafe72aa317616300d10d89d7afb9e4b3f35b87d877a6770355880358aa7ab62fd0ea511f8b81f57d57c7287f72e6bd412ecd3581b3bce5c241373c29c805b

C:\Users\Admin\AppData\Local\Temp\oclwcmj5.0.vb

MD5 c70d1b126ece345cdc1b520b9de4d44b
SHA1 9948a71a5cd368fa016f2fa51919911844f5a527
SHA256 a059ee0b3237894a86867417bb7f574aa8eaec3df094f8410cbecc804059d2cc
SHA512 df38f5172f5a0548dc9d670706899014065d47b20b1dd09ba7b17c4d540ca22e8fdb8d80f52e08949adf074379cf619c3334657f1ab0aba5fae25aea04f4575d

memory/1220-9-0x0000000075440000-0x00000000759F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc4AA8D4E49F3D47938168462F8634E78.TMP

MD5 856be03052d04c9b5ac0e32fa2a653a2
SHA1 28efe39b92c88dc4dbb59f8252228fad7cf076cf
SHA256 9750f919419e034d9edb70cb054a00d57329082dfd6da6ea2cd30e403cf3b689
SHA512 b3422b4d504f600457c54a12f153ce56c7880540576527c8a9a5fb3e51c5910eb34696653e72d4f33ad6fd462dbe971df1c67d7b3b7139b87541522cff70d53e

C:\Users\Admin\AppData\Local\Temp\RES83D6.tmp

MD5 718bc1875cb07bb34f66c9ed8d670998
SHA1 4fe288b3d134e38bec9f2c19261d79de8eec24b4
SHA256 cf435a53a1057560e9402e06d8c781fd29acfac6d1816b5bf1e1657f92b3e222
SHA512 f37eba047abd5bf099372bfb81bc6c73924c4a3d3341ead431d22b083eb2e5a023aa12e19658b6ab423218c174a2700ebf9532c9725e69cb6dd532ee6d0a9f34

memory/1220-18-0x0000000075440000-0x00000000759F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp827E.tmp.exe

MD5 d8fc893955e9d679af56d747b6bc505f
SHA1 06cdf47d043c28fcd16a1b518a902c8d0ae084e7
SHA256 51773199890b4022eb57636ef332e88eb7efdbbfc86cdac57ca338638b387140
SHA512 0b3fbf2c564a6e868a62164512c721b8b1d4b50b09191813b21d17b22d7ca601ed833b02eb2e6a49eb55d05cd0a7a7c53f1a9222c903030692ebee8a81f25cdc

memory/4756-22-0x0000000075440000-0x00000000759F1000-memory.dmp

memory/5052-23-0x0000000075440000-0x00000000759F1000-memory.dmp

memory/5052-24-0x0000000075440000-0x00000000759F1000-memory.dmp

memory/5052-25-0x0000000075440000-0x00000000759F1000-memory.dmp

memory/5052-27-0x0000000075440000-0x00000000759F1000-memory.dmp

memory/5052-28-0x0000000075440000-0x00000000759F1000-memory.dmp

memory/5052-29-0x0000000075440000-0x00000000759F1000-memory.dmp