Malware Analysis Report

2024-09-11 10:22

Sample ID 240728-dtynrsycrc
Target 42153228868d7e181eba1f65682f8e30N.exe
SHA256 170b5f7340d0fd7b6377fe333e0a0abe95cff3ad14fd192a2159664f53ff2785
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

170b5f7340d0fd7b6377fe333e0a0abe95cff3ad14fd192a2159664f53ff2785

Threat Level: Known bad

The file 42153228868d7e181eba1f65682f8e30N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-28 03:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 03:18

Reported

2024-07-28 03:22

Platform

win7-20240705-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4422.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4422.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp4422.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp4422.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2264 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2264 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2264 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2796 wrote to memory of 2248 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2796 wrote to memory of 2248 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2796 wrote to memory of 2248 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2796 wrote to memory of 2248 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2264 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe C:\Users\Admin\AppData\Local\Temp\tmp4422.tmp.exe
PID 2264 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe C:\Users\Admin\AppData\Local\Temp\tmp4422.tmp.exe
PID 2264 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe C:\Users\Admin\AppData\Local\Temp\tmp4422.tmp.exe
PID 2264 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe C:\Users\Admin\AppData\Local\Temp\tmp4422.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe

"C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iffla1no.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4693.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4692.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp4422.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4422.tmp.exe" C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/2264-0-0x0000000074B21000-0x0000000074B22000-memory.dmp

memory/2264-1-0x0000000074B20000-0x00000000750CB000-memory.dmp

memory/2264-2-0x0000000074B20000-0x00000000750CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iffla1no.cmdline

MD5 a7b08d8770c84609ea4979fca70183c8
SHA1 8139da2738ff8c6a1f70903dc775c6c1d3475d5d
SHA256 98a20507a84b7a9df79ba673f4aac197eb97319ad0073c88626d86a7f78791d1
SHA512 8a9fc206f22080169e3d30359921706a92b68abcf93f821b70356107bfd1e8ce0ec48ff3c8f4a095430adf74570d0b20fb90429520eec8011bf322f7077ac20b

memory/2796-8-0x0000000074B20000-0x00000000750CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iffla1no.0.vb

MD5 1c79b37e83afb74658a319c584c27c63
SHA1 ad0eb3a211f146487a40c38b2263f5f85390f672
SHA256 adb45d061102493953008125affa7970da36f9921731432a55d4226399fce13f
SHA512 73cfbd0e78f1b0977f7cee6df32e7e7c119b5d61fb2a47c151fa589707f1ea4820f0dbaad2e0aac657d7eb92cb5a55cc34a567d627b75b777cc2671cb025803c

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc4692.tmp

MD5 b3408cf10b0aadaa0fda7d5b50664de1
SHA1 27020b4d6a656a4b89c15dd35713352d68882f54
SHA256 bdc53a1c2654807a2c9e7ae5778fee72ed7a07ae4dc55b491b9584172356cf1f
SHA512 ba4aacedeacc99e5276d428fc96c439888c92b8039dddc17803ac2e3e6619ed76abf530995adedafbdbfa742e52c0ff7ee0bbc3f5c7c3b1855092d77a0debcd0

C:\Users\Admin\AppData\Local\Temp\RES4693.tmp

MD5 8f4866afbec7fa2b32f30bfbbd7674d0
SHA1 a72af75dd60a72d92c46cc97180fa95a6f5d566f
SHA256 b4e9a50b3d5b070f3d88d2078acc3694d984467610b13020382e65df35997ed5
SHA512 34a2490d1b09c0dec9434553e5bb20f850de9d8629e9fbfc865ecb18f31bb98fb9b38539864bd4b92a33a8b3ca517539dabae84ab8b87ca00c6b2e677da77f18

memory/2796-18-0x0000000074B20000-0x00000000750CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4422.tmp.exe

MD5 0da117a7c9938097a79aa0434db1716c
SHA1 82ba5c7ed1616da335ea10e5cade68e523114961
SHA256 0def37c480e63520878cb163ddf831ce7e5e37287e1923a99db6da0e5ea0aa6a
SHA512 c037f72d48544fdc35988259b77df9de3f14cfd4276c9ed6e2d1040be6b868e9960b67591d61c99becc4bc0cabe63be5707bb2cea94cb68492bf917c2d53ad9f

memory/2264-24-0x0000000074B20000-0x00000000750CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-28 03:18

Reported

2024-07-28 03:22

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3D3.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3D3.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp3D3.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3D3.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1508 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1508 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1508 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2296 wrote to memory of 396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2296 wrote to memory of 396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2296 wrote to memory of 396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1508 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe C:\Users\Admin\AppData\Local\Temp\tmp3D3.tmp.exe
PID 1508 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe C:\Users\Admin\AppData\Local\Temp\tmp3D3.tmp.exe
PID 1508 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe C:\Users\Admin\AppData\Local\Temp\tmp3D3.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe

"C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rqialxrg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB07.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc728B210760F41629FC04B171079A111.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp3D3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3D3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1508-0-0x0000000075452000-0x0000000075453000-memory.dmp

memory/1508-1-0x0000000075450000-0x0000000075A01000-memory.dmp

memory/1508-2-0x0000000075450000-0x0000000075A01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rqialxrg.cmdline

MD5 80ecaac7d2fb557bcb5766bf0a0435ad
SHA1 96aa294345212195d5a7c53b4a8c03802e2275d4
SHA256 ec01af856db970ad166e80df0eb2783a1f31f44414ab9d953b152f4d58bc95da
SHA512 38d3b59d934dfa1c2ac0f8b0bd4555b5c727afcc63fec0c70c6606a2536e282f6325ea3e35948507fe39b58f8fcbe8d88dff6248fa16d6d5536f560224eb0a18

memory/2296-8-0x0000000075450000-0x0000000075A01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rqialxrg.0.vb

MD5 874ecd73baa48efdb493db45b5e53a03
SHA1 be2ae3a1c992b7d9a2b8c3bfac86f853ae878af7
SHA256 54f3ca3c8d64a53102969537c2b4da70425485f2f33c42a6caebd9769ac26dcc
SHA512 c28aa8c0acbe4d65d0f8c3196988745167c71f798772aaa67af4a2d5efbd528922729dabc826af5958dee4d77929ca947acda1270551e3aad31d5a4062df545b

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc728B210760F41629FC04B171079A111.TMP

MD5 69f8b5ed7e9277cc543440cbdb2dbec5
SHA1 eec6e53aab7b4e9750a32e7ddb8f951a90291811
SHA256 9151fe9c24a1f9c8f8983559af6b006345a9ac1743b1231ae3de418840d52dc1
SHA512 9b2d7bd1507620a8eb3bf84b22ed844c8da8d221897019a43c8bf7443055cf86bab9d5e5ee60efb6ae15be4443d7c84b68cd1577244786f479a7e75b2221e830

C:\Users\Admin\AppData\Local\Temp\RESB07.tmp

MD5 d8175fd26a3ba9e988b746af0aa41354
SHA1 20e9bba06c2bdb6bb4bdd387c4d5c2315b6f7705
SHA256 09da702ed4822fe42e55ed9560682f6aa278cba02e40b2e0d86817e910f18abd
SHA512 806e05713e1f20eea038d74feb1be72aa2da2dfce4def0358912ac5cc737a0a515d32d702f8ffd47956d68dd408eb83f3df9322d7d5c462a731ec94bcc2c0652

memory/2296-18-0x0000000075450000-0x0000000075A01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3D3.tmp.exe

MD5 4be9bead5c4cfc2b2234acf982c9ebef
SHA1 1ed8c39351366a2418feebee4cc73cd07ba0fe2c
SHA256 cbd48778fe6911bad41079e16cd856ddc58e91021c1229b4459eef7eca1bfe5d
SHA512 ccdd9bb8e207e2e274449e174f22ef70b215292f033f4a2c0bc63547338448adb37c4020f028d7555fa19f6484c57f4749331919fc47ddeb48ae260c5e9c2335

memory/1508-23-0x0000000075450000-0x0000000075A01000-memory.dmp

memory/3748-22-0x0000000075450000-0x0000000075A01000-memory.dmp

memory/3748-24-0x0000000075450000-0x0000000075A01000-memory.dmp

memory/3748-25-0x0000000075450000-0x0000000075A01000-memory.dmp

memory/3748-27-0x0000000075450000-0x0000000075A01000-memory.dmp

memory/3748-28-0x0000000075450000-0x0000000075A01000-memory.dmp

memory/3748-29-0x0000000075450000-0x0000000075A01000-memory.dmp

memory/3748-30-0x0000000075450000-0x0000000075A01000-memory.dmp