Malware Analysis Report

2024-11-16 13:12

Sample ID 241103-lhsx5szpbw
Target a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN
SHA256 a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11b
Tags
discovery persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11b

Threat Level: Known bad

The file a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN was found to be: Known bad.

Malicious Activity Summary

discovery persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Executes dropped EXE

Checks computer location settings

Deletes itself

Uses the VBS compiler for execution

Loads dropped DLL

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 09:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 09:32

Reported

2024-11-03 09:34

Platform

win7-20240729-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2888 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2888 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2888 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2372 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2372 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2372 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2372 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2888 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.exe
PID 2888 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.exe
PID 2888 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.exe
PID 2888 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe

"C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-iww_5nk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB7AB.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2888-0-0x0000000074FC1000-0x0000000074FC2000-memory.dmp

memory/2888-1-0x0000000074FC0000-0x000000007556B000-memory.dmp

memory/2888-2-0x0000000074FC0000-0x000000007556B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\-iww_5nk.cmdline

MD5 6a172514fe6ee39bdc99b05226224897
SHA1 db14de21dd806ae2f67525d453c461a8d1a1047e
SHA256 d034b7a841ebfba24c951e8322ca30a1af62c65a4685f582674cf8c7fd0dd21a
SHA512 c90a7775d42b48e4983b7717f7dd80d4907669d555c8828cb70aca844b64a6f74bb215f40329a9c0e2bc540d4821091df7e2382b86ab80f435843f71d8cba2dd

memory/2372-8-0x0000000074FC0000-0x000000007556B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\-iww_5nk.0.vb

MD5 cf255b63ca976d8d219c3a69a44f7b69
SHA1 64dda9e7bd8cbbd585ba505d348a04d23ec4a52c
SHA256 c3c89a754d103c164e344ec28901ac9a7010bacbc97b84f2b8f8da55ef0227b7
SHA512 a58da2d685831d11d46a2d41ab4f87f1b65df3221f3437309e6acaccc9f74f7a84b6557866bc900114e88638e412ecfa09ae7f50666bdfeb2fc19e69541fd890

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbcB7AB.tmp

MD5 4a3d3a02628c1a6c746fc5222d0c8213
SHA1 874f7349cbc86e02f4681bcebc05d637e816ffe9
SHA256 dbbd0d43ead9cd5c3051d147efe6cbe50cd6cb831f7615c9cd5a8345149c8f00
SHA512 f83a56ed140d76e6f09d6504fa514624d4b74a3de025019af2efd953fc2050a2ac765a3a7f8b1d2c23d91041339a78ff06d7f1fca01e586a7cddfae5d3b34bcd

C:\Users\Admin\AppData\Local\Temp\RESB7AC.tmp

MD5 fd764058559237acc4f5e30d559aa18c
SHA1 d0568492b1e586ba52b3932bf26f69ffd098e40f
SHA256 1a181d024165f140b362e671f5bc2fe855ebb4224b8fb5bd595385c26695f676
SHA512 9816614a599be66bdaf2dddfbb2970d325bd53107539422cbc65fbf66b1c571bba3eb062238991a216884684f44dea413ffce3b8d8d720e00fd3f16f63649f69

memory/2372-18-0x0000000074FC0000-0x000000007556B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.exe

MD5 9bd960d556510f9c9c89d8d6e165f1aa
SHA1 c62bf8dd87f63da58fa33d10529635632a6cf637
SHA256 ed522760b528f55eed17e3278fc66f73b1f7d46c07f0a83b5cfe577848077a0c
SHA512 18064954e413ff7e5503bb549bd0792fdb01889701c7ad84357b042bcbb0deab5c401149c0d268f5d37b9640c9f725c4e2c877d643b9df0d5ba9c70e40e5370b

memory/2888-24-0x0000000074FC0000-0x000000007556B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 09:32

Reported

2024-11-03 09:34

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB2F4.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB2F4.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpB2F4.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB2F4.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpB2F4.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1432 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1432 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1720 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1720 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1720 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1432 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe C:\Users\Admin\AppData\Local\Temp\tmpB2F4.tmp.exe
PID 1432 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe C:\Users\Admin\AppData\Local\Temp\tmpB2F4.tmp.exe
PID 1432 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe C:\Users\Admin\AppData\Local\Temp\tmpB2F4.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe

"C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wcfasus3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2C6BEA59DD4E9C955C105A8A99122F.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpB2F4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB2F4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1432-0-0x00000000754C2000-0x00000000754C3000-memory.dmp

memory/1432-1-0x00000000754C0000-0x0000000075A71000-memory.dmp

memory/1432-2-0x00000000754C0000-0x0000000075A71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wcfasus3.cmdline

MD5 bbad4dda17f34a05864d856981c1a2b8
SHA1 6259b9241f2386c7027afda6a49cdaa88e712971
SHA256 04f59c6aa6f2da190a8a72a849983bb37b34a30fd5472bd5b4a32901107da4c9
SHA512 bf8878b983b3f8d31696b6798cfb6deea2912fac1cc1100d7fe3bed8482952cd6603d768b4da50660de87a99ead38fa5b4e955038b003e142e4cce8d8a5929ee

memory/1720-8-0x00000000754C0000-0x0000000075A71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wcfasus3.0.vb

MD5 8e0b1b272ca8db4952ec74039dc0f7cd
SHA1 44ba3aff536e55e7dec10106195dfbf0e8b56a2f
SHA256 a359ea8492efe7c7c096b70d8850a757cea6768d73f912944bc025b7f08e26ff
SHA512 3f632995a561ae29e13c6d329954f9ea5777df0616965a842986ea115e4c3cd9e157bc5220f172ee575282c3a7207de7ae883c1e06cfe493020d6076e90c65c1

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbcA2C6BEA59DD4E9C955C105A8A99122F.TMP

MD5 90bff34a03d0f204a52820c73be12b8b
SHA1 bf132e2f730e17e0214894f5d83a6ff974d6583b
SHA256 1def159a41566d67bc67ce24e2d5ce5bddccaaaf35267b7b6b9867645ccf4085
SHA512 68ba2a5cc46b5940f34efbf41f08b93a9479132b9d46ff8ff27b956ff241604c413c28befd52ec9990195a0044efcee47bef843e8da77eb568cbbdec6e64f0ec

C:\Users\Admin\AppData\Local\Temp\RESB4E8.tmp

MD5 e7e3f7268fb0f8e728430dc818989e61
SHA1 24b1f4314723a611e3987387f975ba921cdb646f
SHA256 e0b5b4d8535e98797d22a902eded20807ca51cff224ab9be02d4d323de0cc218
SHA512 75578a0fbab9d0af7f0d8012a7e4fa5baa5a1eb4a41ab1a363c90a269c580e6b5f9d95ff61d005a68971493261682715c20e241addbbe4d31ba6d4b43534ec03

memory/1720-18-0x00000000754C0000-0x0000000075A71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB2F4.tmp.exe

MD5 df89014fc6765060fabef686e9cef8be
SHA1 a1735132012b6c137deea1d6c2010f9059e46546
SHA256 9fe7bf7dbbb105904210bcaa103d1bde391d4217146b524ed5b6d2cbb574dda8
SHA512 c462b502c15cbc9a1af0153c6766b44a036c5f315921b8df82f857060f5fb0a0e5a7e4e3ed55a2da0b47bd80e90ed49c1bc70b17d661550501768b4c53f75899

memory/1432-22-0x00000000754C0000-0x0000000075A71000-memory.dmp

memory/2528-23-0x00000000754C0000-0x0000000075A71000-memory.dmp

memory/2528-24-0x00000000754C0000-0x0000000075A71000-memory.dmp

memory/2528-25-0x00000000754C0000-0x0000000075A71000-memory.dmp

memory/2528-27-0x00000000754C0000-0x0000000075A71000-memory.dmp

memory/2528-28-0x00000000754C0000-0x0000000075A71000-memory.dmp

memory/2528-29-0x00000000754C0000-0x0000000075A71000-memory.dmp