Malware Analysis Report

2024-09-11 10:24

Sample ID 240726-sgmhasyejh
Target 225c0b4ed49f5896b45033ffcc1de010N.exe
SHA256 1b1d5bf28e6cd68f4fc5e2daa13d844177151a9dc4ab35a9e7df980d843a6489
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b1d5bf28e6cd68f4fc5e2daa13d844177151a9dc4ab35a9e7df980d843a6489

Threat Level: Known bad

The file 225c0b4ed49f5896b45033ffcc1de010N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-26 15:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 15:05

Reported

2024-07-26 15:08

Platform

win7-20240708-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD671.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpD671.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD671.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpD671.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2420 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2420 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2420 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2180 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2180 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2180 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2180 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2420 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe C:\Users\Admin\AppData\Local\Temp\tmpD671.tmp.exe
PID 2420 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe C:\Users\Admin\AppData\Local\Temp\tmpD671.tmp.exe
PID 2420 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe C:\Users\Admin\AppData\Local\Temp\tmpD671.tmp.exe
PID 2420 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe C:\Users\Admin\AppData\Local\Temp\tmpD671.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe

"C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6hff068k.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD866.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD865.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpD671.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD671.tmp.exe" C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 bejnz.com udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/2420-0-0x0000000074911000-0x0000000074912000-memory.dmp

memory/2420-1-0x0000000074910000-0x0000000074EBB000-memory.dmp

memory/2420-2-0x0000000074910000-0x0000000074EBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6hff068k.cmdline

MD5 5cb7fcf6be7ac3d4a6d7f9883b1ec9d6
SHA1 0d87c51ed359776a5d68e3c4ef3e28ec3eda7b4f
SHA256 70ef6c682890549a4e88d557ea5becac691bbf4999fe375a0339ed74ead9e210
SHA512 5b17528b4121f6d81000d261480d08d8f15fe3bbf9b29a48c849c576e09e7b14d065c1b75a2ad4d418dedfb19eb0286d2e0672c69d82df6057a455a3ce9c7a05

memory/2180-8-0x0000000074910000-0x0000000074EBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6hff068k.0.vb

MD5 bd3afaf0a9f42f1430f4fc5ac6f6bbbf
SHA1 0d752728bf01a9936d5cf0f8aa78dd3b288e1b7b
SHA256 6789788bb1ba0e397000b15545713b1468f7f749e581d1d670d7224d98a91694
SHA512 1be0f5fd0e0c705f4cc3b3d70bfd1a42abecd0a8d5add45e72c4a186ed027ca6d669000098dda61bffff5f8e3cdbe22b364f8186243f9ffa2d11f11859060749

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbcD865.tmp

MD5 d94980952f12b3348f3e14c5e3d2048f
SHA1 ce16f015abefdc2b3cd56baad3e9afc64296355e
SHA256 d6ea1f4b57aa1e492d6240ce9e94aeb0fa985bdfb84e263dead920d7a091ec85
SHA512 81764961785f0a931d63f77f88ecd1b8951f6dc124dc00f9fc5df392c1c7b13e486b07755b95dcbca1288689dedd73926c4ada599f2cf49cd84f526734421f4a

C:\Users\Admin\AppData\Local\Temp\RESD866.tmp

MD5 aa940126e3b0c3088b66fb191d08326d
SHA1 859e54d8586371f378731eff787cc9a187338948
SHA256 c2964958035f6d3b1656b2a608f91f93792d6be3c5fbcddc1d4f9b31125e4043
SHA512 b50ed069c1d41524a946b45a2558d2645249a9797366987a1053c3f486c6ba955a24357c8c3875cca82934b6774d09c62f17e3024b79852d9ec7a5cae53782f0

memory/2180-18-0x0000000074910000-0x0000000074EBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD671.tmp.exe

MD5 252c6437159f9b694b8cc9a0b1f80700
SHA1 6372198ed621f00cd5a2bba62128802c33cfc52a
SHA256 0775ddd4cfcd8d421defca57a6ce47d2b8fc8bec6d17a58763ee16a94c5c6486
SHA512 217e5a3fe8028c1edbdeaa583ee878aa73d1b7c061091c24468c0ab4378e56a136bbb3b2d17c9ed57ff4a7368cb5d6cf6a548ef38dc18aba6ac0e402d0b85659

memory/2420-24-0x0000000074910000-0x0000000074EBB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 15:05

Reported

2024-07-26 15:08

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9357.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp9357.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9357.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9357.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1952 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1952 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2652 wrote to memory of 1508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2652 wrote to memory of 1508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2652 wrote to memory of 1508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1952 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe C:\Users\Admin\AppData\Local\Temp\tmp9357.tmp.exe
PID 1952 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe C:\Users\Admin\AppData\Local\Temp\tmp9357.tmp.exe
PID 1952 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe C:\Users\Admin\AppData\Local\Temp\tmp9357.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe

"C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\23xogf2z.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9589.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc973D9C6F44DD46DE958DCC834C1C14.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp9357.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9357.tmp.exe" C:\Users\Admin\AppData\Local\Temp\225c0b4ed49f5896b45033ffcc1de010N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1952-0-0x0000000074922000-0x0000000074923000-memory.dmp

memory/1952-1-0x0000000074920000-0x0000000074ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\23xogf2z.cmdline

MD5 04f193c3e2102e2f4f2bf5c77bc79443
SHA1 844a12bdadc6fd560de478be33c8a87d76586501
SHA256 b2071e4629f7f48cb62993e972d7e11f4f57c85d5c3279a10d1e1548c1fa5581
SHA512 a575eb3d01b36e97206b91aa9e1c0ed1f804bc8f91b4a4146991d75475e17f485575c9ae11381e9047ce9b39c0f770e4dea5d8f7fb170d3a6c7ab45768cedacf

C:\Users\Admin\AppData\Local\Temp\23xogf2z.0.vb

MD5 0979a4a29166d7c1c9ec80b27cfbad7d
SHA1 988a133298d6a4aa96d18d58509c584085a065ab
SHA256 213016813466d3ec11a9d468effd44436bc5828c38f731c8735c2bd1421adcb8
SHA512 b813729ce780eb01020df160dd9c280a4961a8d0f34728ced04db82f043853fea132b1ca86d2d904cfc3f60a2cb83f85def6f689ca67cf9724f195863e01a58a

memory/2652-8-0x0000000074920000-0x0000000074ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc973D9C6F44DD46DE958DCC834C1C14.TMP

MD5 a78d8ab7aaeb3859bf7e23674a012db5
SHA1 73893f6f00774e8600723e0ca3fd7e8db51a7b9e
SHA256 8f76741ca1f95d0616aeecad1d50fa2352985c3a2a2f69c227e959005c51812d
SHA512 e3513b6b8d9b79b522ef847561fa5040a7e8e3a9a1e3585b6a6827651758fcf00ec3c10352fd9de4a5392d70a58ef93169b59a14044dc94bf56ff5610d0f5b3a

C:\Users\Admin\AppData\Local\Temp\RES9589.tmp

MD5 6965df5bfd5ae2439cfd226a891fabda
SHA1 c89a76dca03b05df7fc0e120a8a608c9d3ae058f
SHA256 7b8c0b7fcb0bfea1ad5e0ed4a442d5c1281870b4de7b6ce02b7416ccdb27feda
SHA512 fe1fdd2cc8acde7f4c77a36b63481d2dab60f908142e25c2b48749ee9be9e02a696db302d471141fb3792b727f932f32182654ff3e782cc6f8b5952b2428d1f7

memory/2652-17-0x0000000074920000-0x0000000074ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9357.tmp.exe

MD5 46d073b24046a7c6e2f4652d20493d57
SHA1 1d3602e86c940227fa1c1fd2a25f2c5b0ab11931
SHA256 5870be4a4387c148b7642ff703b1f9c4a0648ae194770e931b300d4c1fb14c4c
SHA512 ff2c55cd49fbd1a36e20081de04c2155573d31c51f0a98d92bf1164c7badb499a08200c8c4c8222481ac1e767d5d369182aeae5736949ec19da5751ed19a4d8d

memory/3596-23-0x0000000074920000-0x0000000074ED1000-memory.dmp

memory/3596-22-0x0000000074920000-0x0000000074ED1000-memory.dmp

memory/1952-21-0x0000000074920000-0x0000000074ED1000-memory.dmp

memory/3596-24-0x0000000074920000-0x0000000074ED1000-memory.dmp

memory/3596-26-0x0000000074920000-0x0000000074ED1000-memory.dmp

memory/3596-27-0x0000000074920000-0x0000000074ED1000-memory.dmp

memory/3596-28-0x0000000074920000-0x0000000074ED1000-memory.dmp