Malware Analysis Report

2024-09-11 10:24

Sample ID 240727-depsbasgmq
Target 85179dcefb0ad2d2d5049c53d093e700N.exe
SHA256 4c16d4255077e312e81bdaff984b65fab478179e7c302be88e01a40648026d9d
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c16d4255077e312e81bdaff984b65fab478179e7c302be88e01a40648026d9d

Threat Level: Known bad

The file 85179dcefb0ad2d2d5049c53d093e700N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Uses the VBS compiler for execution

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-27 02:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 02:55

Reported

2024-07-27 05:17

Platform

win7-20240705-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD1DF.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpD1DF.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD1DF.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpD1DF.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2900 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2900 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2900 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2096 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2096 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2096 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2096 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2900 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe C:\Users\Admin\AppData\Local\Temp\tmpD1DF.tmp.exe
PID 2900 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe C:\Users\Admin\AppData\Local\Temp\tmpD1DF.tmp.exe
PID 2900 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe C:\Users\Admin\AppData\Local\Temp\tmpD1DF.tmp.exe
PID 2900 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe C:\Users\Admin\AppData\Local\Temp\tmpD1DF.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe

"C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8qrlw_3p.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2E9.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpD1DF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD1DF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 bejnz.com udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2900-0-0x0000000074B91000-0x0000000074B92000-memory.dmp

memory/2900-1-0x0000000074B90000-0x000000007513B000-memory.dmp

memory/2900-2-0x0000000074B90000-0x000000007513B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8qrlw_3p.cmdline

MD5 74615573ee49317d674041334c2082ab
SHA1 7a5a35736959d3f54b2a92efaa5f34176144b0a8
SHA256 7a7545fe196d3e2a5154e1831c37cab43e45869bfe77bb6be88e2ce71be2f530
SHA512 658e2972dd456d752ddda457c8388fb118b0dd72ee0b6733c097cf6093ec4eb45f10c1eff2c69a9197f0a603f73dcfcdbd54a19e98523d18d2079f39c128cfdb

C:\Users\Admin\AppData\Local\Temp\8qrlw_3p.0.vb

MD5 776a2e67edfbdb31ab216aff856bbe11
SHA1 e5b367de35a3197b69061a66dc58ff5425c22c32
SHA256 18a410a15b531de835a2b75621b12d5a27c64cdff8238382b1820a15bf49d70d
SHA512 779aea45db9c2a65e8f293a404cec28fa057f15ff88e53862d53cb29dd85cd45858f5e05e258bfed9f8b3f93a1ce279f1249a7714f2001c6ea3dcfdbc5bf0601

memory/2096-9-0x0000000074B90000-0x000000007513B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbcD2E9.tmp

MD5 ae712b8b531a90a249f4c864b3f91e11
SHA1 39a70bbef717e74f505c8be1d24e6942fbbeb86e
SHA256 30c24afa60b73444f72cc7859729e246784db52540260b6bab85aae664bfa049
SHA512 56ff7760460ac93cead8e0727cb75fc3c025951a4b75e016d3543ebdfec91dd9a55d2ba04dbca0baeb4d0b5a6d20574e117528b0042ed96169f420bd0fe74577

C:\Users\Admin\AppData\Local\Temp\RESD2EA.tmp

MD5 89e510721dad5eb34ea0feb4f7c2a71f
SHA1 a7357878e470420de71fa3f07f4d40dbb410c516
SHA256 56071ba9fbc27cdcee98cb3299aba199b51f221457183f5f9ca7ed2ffa0181b1
SHA512 4c36e48c370940341faceea78892fc60812c861bfdce4ea793fdbe6ed4b4c8ff9b315bcb767fe2456d24b1555de332c142955383e07df333fad87db60b452883

memory/2096-18-0x0000000074B90000-0x000000007513B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD1DF.tmp.exe

MD5 7c77b393a78f22dc61378a167019366d
SHA1 168d466124f45357e53cb9c365154b7e6869dfa0
SHA256 3206ec00f19540064b5c639387e7442e0ea07180c37e7c4f75d21ab47ab7d922
SHA512 918e46c723087b8f9334f6dacfd7d0335214da734bd1838da33faf667d3dab091a06187e046cfb9fb8a71ac2e49875d933714be9186ea4f27ed992367260cf75

memory/2900-24-0x0000000074B90000-0x000000007513B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-27 02:55

Reported

2024-07-27 05:17

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp78F9.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp78F9.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp78F9.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp78F9.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3932 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3932 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3932 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4608 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4608 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4608 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3932 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe C:\Users\Admin\AppData\Local\Temp\tmp78F9.tmp.exe
PID 3932 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe C:\Users\Admin\AppData\Local\Temp\tmp78F9.tmp.exe
PID 3932 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe C:\Users\Admin\AppData\Local\Temp\tmp78F9.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe

"C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uos9cmna.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A9E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4BCFF4F6F9204328989DB9C9C92A7D5E.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp78F9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp78F9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\85179dcefb0ad2d2d5049c53d093e700N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/3932-0-0x0000000075432000-0x0000000075433000-memory.dmp

memory/3932-1-0x0000000075430000-0x00000000759E1000-memory.dmp

memory/3932-2-0x0000000075430000-0x00000000759E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uos9cmna.cmdline

MD5 3d398857aadb0a9725e279eb0ce94a64
SHA1 5729a8fd8025272c0b5b978a3620cc50cb33de7d
SHA256 28c2a101089fb319c0212f3bf3431d55d7b84f2f83eadd5898e330551d359c05
SHA512 6af9a289f51645ce9c52651e421790031ae292218257388c69471a6cbdcefebc37b9e834531f45066388bb2c0a3d12d7b88a8de80ea366240dcf373e77a6d8fe

memory/4608-8-0x0000000075430000-0x00000000759E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uos9cmna.0.vb

MD5 90ef1f981900febf5098f12a9ab87c65
SHA1 d231b6438d7dcabc0991a23d4524df9bd89f763d
SHA256 110658879e84bf3e788e2d88c3fe9d8cd9fa74b5b06c55e3ad730c244ce4bc52
SHA512 7b3a193e054475d1893d5614455decc9eb2df7ced1ab9aed8f5a66b9262a203fc3c744d3372bf7306db0ac57a7951b848eb9b38acd64d1a9dc2bab0624ad6006

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc4BCFF4F6F9204328989DB9C9C92A7D5E.TMP

MD5 628e0dec4f1672d006228ce215577a39
SHA1 d38c23bc36d7af23228d93347e5cb8bd522aa77f
SHA256 f293a6579094bfa8c596db31d40a9d70f29f345ebb388e8311ca2901ef77efc5
SHA512 93511bce3d8fa6d62420ad17eb26202beed60a01233dc32e41c0d13fd358a107e541564c74cd1edbc0cb9a793529171ca37878c3fef885018c523f9f5db0d465

C:\Users\Admin\AppData\Local\Temp\RES7A9E.tmp

MD5 27736979b520c0e922a500b42efd7dc7
SHA1 26a8209e0f8b6f12ba50b567a1e92ed0528cf8b0
SHA256 457942026fbdd48df4326f854cfc0f275be4e1e4c82d2ad737c070b2a9ca4de6
SHA512 23a5f9c3431cd67409b76114150552a11ec5d5270ff538f386b362df862543904485463d80e3d421e84126ef1d9a9568c851a7c88c12bfb29a2815c5db560eb0

memory/4608-18-0x0000000075430000-0x00000000759E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp78F9.tmp.exe

MD5 ed040e015b25fa32500d23132508f57a
SHA1 34f53ee34afa4a54316eac41e4067173e78c7725
SHA256 9f51890753d3c7adf1ae1e45f8d9eda55f443e4dd3a55b6ff7417b6e2521de60
SHA512 efce091a88b46cfe9896fc56de718e23357a115600dc360c979f9e46ef90fd718205edb0a8b427ab44b827875e021f9501d32c24e8b444bfe5bc2fe10056298d

memory/3932-22-0x0000000075430000-0x00000000759E1000-memory.dmp

memory/316-23-0x0000000075430000-0x00000000759E1000-memory.dmp

memory/316-24-0x0000000075430000-0x00000000759E1000-memory.dmp

memory/316-26-0x0000000075430000-0x00000000759E1000-memory.dmp

memory/316-27-0x0000000075430000-0x00000000759E1000-memory.dmp

memory/316-28-0x0000000075430000-0x00000000759E1000-memory.dmp