Malware Analysis Report

2024-09-11 10:23

Sample ID 240727-2t11wswdnd
Target 11289a05fb5a3741bd4a83bbc083e210N.exe
SHA256 41eea9d21d8f7d3c8b168fc1ec6387ee4c5686455a941559c82ad8c9f1e1730b
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41eea9d21d8f7d3c8b168fc1ec6387ee4c5686455a941559c82ad8c9f1e1730b

Threat Level: Known bad

The file 11289a05fb5a3741bd4a83bbc083e210N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Uses the VBS compiler for execution

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-27 22:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 22:53

Reported

2024-07-27 23:58

Platform

win7-20240705-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3068 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3068 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3068 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2372 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2372 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2372 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2372 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3068 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe
PID 3068 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe
PID 3068 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe
PID 3068 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe

"C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1ofw1t6y.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA21.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA20.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/3068-0-0x0000000074571000-0x0000000074572000-memory.dmp

memory/3068-1-0x0000000074570000-0x0000000074B1B000-memory.dmp

memory/3068-2-0x0000000074570000-0x0000000074B1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ofw1t6y.cmdline

MD5 06e76e24eefc654968eeb836930bad6f
SHA1 fc9bcc2d34d5b7a4e8141feb4a39beaadae83130
SHA256 1b02e87ad61b4b12a5d2f6dc295957fa2798f612613a39cfa69a8fbc5c636407
SHA512 499d0d4e983d80f8591f2eb4fc32bb7b87079bbedf9c71188146c289d6f8f2de495752816820d2f189e9e12ab9f067db56afdd1b30f662f53584b31430060a1f

memory/2372-8-0x0000000074570000-0x0000000074B1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ofw1t6y.0.vb

MD5 dde582c16be7d143e1458d94dbefb5f4
SHA1 0f62e9f4f13b6d9de0828d1a956d8d72277965a6
SHA256 0d396c8d0b41abfe0b015f82271f50353635b73a10686c77ab4f0b7c58b73ba6
SHA512 89a2146f085ab01af6de42f178bd22e697030cbcd6aa4ca5dbe8536c4d1cdf5df4cb091546162698baae4a419abaa3e4c8bb551657e73fe4639d65eaec16cfe5

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbcEA20.tmp

MD5 7c6bb724802574f85253ae6353ee2b0e
SHA1 c99300557ebe1d34e77a03ac6bce29537fe3c320
SHA256 25eb343d34585794aa3152c9ba7d0d1d3e0ba00d557634f647844c25e52dbff6
SHA512 4b16d10dbfab0bafa0317862727847c4871d00b288491b9b5aab368b9552371b67fc31f03809d9343a31d1b674f63893e77421bd3e29166d2504ac035a82913e

C:\Users\Admin\AppData\Local\Temp\RESEA21.tmp

MD5 fee6c820d2afccb419f20890106614ab
SHA1 3fcc1d62f703dec71fd2c6869950bebfd1f31319
SHA256 3f47f33e3a684e7e4229b53d0fe5b0c64c01e103b03fdc4b7fd4986704602f41
SHA512 a69815c302cf3aa38e5fbc3b927778178a654c6d2b9be0a905bc0c36136135888999d29ef9c726b703a6c21fd96277d8134e9e6f2e754743e9101b41000c4acc

memory/2372-18-0x0000000074570000-0x0000000074B1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe

MD5 de8bf1069bd09832691cad91c110002e
SHA1 58fc29ece900ff3283227a40d3feca3ab04e3d71
SHA256 0d876352b5a0f4171cf549efae0241bb04d12ed2c17813b3d6ca564d48229e9c
SHA512 4a548145b653934a139d4bd045d0bfa8a33369c90b14b8ce9917685e1686b9e7f442d9ef957265ef7f8322ba5bbb5c1e70fdd36dff639a84921ff2c225b7f9fd

memory/3068-24-0x0000000074570000-0x0000000074B1B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-27 22:53

Reported

2024-07-27 23:58

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9EB1.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp9EB1.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9EB1.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9EB1.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1604 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1604 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1080 wrote to memory of 4580 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1080 wrote to memory of 4580 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1080 wrote to memory of 4580 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1604 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe C:\Users\Admin\AppData\Local\Temp\tmp9EB1.tmp.exe
PID 1604 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe C:\Users\Admin\AppData\Local\Temp\tmp9EB1.tmp.exe
PID 1604 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe C:\Users\Admin\AppData\Local\Temp\tmp9EB1.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe

"C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5hrp_3gz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc799AC87543E743A2869DAA33C084E3D6.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp9EB1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9EB1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\11289a05fb5a3741bd4a83bbc083e210N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/1604-0-0x00000000750A2000-0x00000000750A3000-memory.dmp

memory/1604-1-0x00000000750A0000-0x0000000075651000-memory.dmp

memory/1604-2-0x00000000750A0000-0x0000000075651000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5hrp_3gz.cmdline

MD5 6e65567a99474ff13af361b526a7bd89
SHA1 9c789ede10aadb71d148b7acb524371b3bcb87a7
SHA256 656b743b0a4f7cc4bec1ffc4dc23771a2589f74b78ad3abdc95757889db0c0fe
SHA512 fcfc8ef3fcfdc819aabaff615e4bc8c4705feb10c6bf694d196f7d0603e65967ae21f0bc305723b1705f4b9ea14a59aed905fa7d11b91d536bb15121cae81425

C:\Users\Admin\AppData\Local\Temp\5hrp_3gz.0.vb

MD5 910ab51893db0700a4810dde30bd7401
SHA1 c06c9946245b32213aabd78cc63df204b49ba1b9
SHA256 0dbb39012d7cef18617bc56f1b549e33da442e3fa9405fa3613041ef2706e910
SHA512 61eb243833111c0cbdd972dc776908e5849a3e9e93d94b76a813e312c9eb6d994d5b9dbdd8aaf5e8f100aebe15c99fa1eb455c790d089f958ce1bdbd91c6a780

memory/1080-9-0x00000000750A0000-0x0000000075651000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc799AC87543E743A2869DAA33C084E3D6.TMP

MD5 5d70e77a815d303ebf985b116e88af71
SHA1 f1bb8fe83061aa029dab5e0b88b8f118fd58ccd4
SHA256 a2a24cfb23505d2457ea0f1865a2ab386752f0b5b20abab7514c3b7866cb976d
SHA512 6fabd3b7964c9d9af0189d032284691be3cad5b48b5cf653f1ebcab1c350efbe234ad95a247b5c04918963130847095b9c34cf7354f28b4252a6709c3b1aa11d

C:\Users\Admin\AppData\Local\Temp\RESA1AE.tmp

MD5 1fd1e7b2c7fa31a50196480fa66dc802
SHA1 3393f47473b0af803fb69c48eb8d0f3195a6ce21
SHA256 119c2a916cccf9d88e5ffa2173559d7032b9ae6d031e1303c8eb873222bd00e4
SHA512 57936343b80d227d9ded1eba3b05eaaabb0edb63bb00e0d03acb63d090c81565e46955d3c2c7172439ad46cdfa54957d2a359a034c6d0e5023a05855289081ad

memory/1080-18-0x00000000750A0000-0x0000000075651000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9EB1.tmp.exe

MD5 26b7add58936d6977827ed47fbe63d2b
SHA1 623972a93a089bda488844438dd48f0e90fd826f
SHA256 8c82f76ed5305517203c454e70b5012b8604b01edb858942b524a015e2c66176
SHA512 fa3cd374d84ad4b6d49a0b089447d2d2bf619fe75eea6f7ea00d8951a3ea8f67cd5851de5fa6a3e7c1602ed7c7a766686f631e2653d0e5eae038a4449a8affcf

memory/1604-23-0x00000000750A0000-0x0000000075651000-memory.dmp

memory/3940-24-0x00000000750A0000-0x0000000075651000-memory.dmp

memory/3940-22-0x00000000750A0000-0x0000000075651000-memory.dmp

memory/3940-26-0x00000000750A0000-0x0000000075651000-memory.dmp

memory/3940-27-0x00000000750A0000-0x0000000075651000-memory.dmp

memory/3940-28-0x00000000750A0000-0x0000000075651000-memory.dmp