Malware Analysis Report

2024-11-16 13:11

Sample ID 241110-vjammatran
Target 5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN
SHA256 5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530d
Tags
discovery persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530d

Threat Level: Known bad

The file 5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN was found to be: Known bad.

Malicious Activity Summary

discovery persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Uses the VBS compiler for execution

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 17:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 17:00

Reported

2024-11-10 17:02

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1564 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1564 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1564 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1564 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2548 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2548 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2548 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2548 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1564 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe
PID 1564 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe
PID 1564 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe
PID 1564 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe

"C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qjqwuokn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CE.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1564-0-0x0000000074571000-0x0000000074572000-memory.dmp

memory/1564-2-0x0000000074570000-0x0000000074B1B000-memory.dmp

memory/1564-3-0x0000000074570000-0x0000000074B1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qjqwuokn.cmdline

MD5 75cd06a1b925fb38c0e4007f30db6216
SHA1 aa8c4c0edf4e72281587e63aa16542f1a785b3da
SHA256 a7bf52f754ef16b2b20417befc6c15f25ae6d1bd4001e3bd4f60e5ebd5ca6c99
SHA512 809fe440e96044ebfae67fa026c6e05b657cf463cb0b4d560a5cd6c4916505e07110f5e4385b580e8915f6367e284c669b5de5c65d3a1501c91f48e7a2a3b912

memory/2548-8-0x0000000074570000-0x0000000074B1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qjqwuokn.0.vb

MD5 e5efca5b95107a7f079a43a6d582cc05
SHA1 e5870fac1097d5988460c399e3d6a21f14fe3cd6
SHA256 247fbe93d6ed2f1b0481c8d06abd656ec0db1b6485d7c591c114bf38792a106a
SHA512 1b66154d0dd94613106dc28188dff108ee64e8f3053d129270adeadc7799c2422ce68413d9f560dd19436d0633fc91d11cf964265cbb4b1d63cc408c81c46add

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc2CE.tmp

MD5 c358198688a140b94fc3585cf86be5d9
SHA1 c58f405925cef1690b22f43046b7e16bdd32c1df
SHA256 69dcb6778f6aaa1c49e64fecbd5429d32b05098871fd95651fac8dd8f1301b78
SHA512 0d3d54611c8acfe8108a6b78155b06d09a5ac80a8c987426a6f1e2c1c55877e2be9d9a790968b096806a29eebcff627ff85fd6a504e98f60740d44c19fc00ab3

C:\Users\Admin\AppData\Local\Temp\RES2CF.tmp

MD5 b6a9db8a3ec3dbe72e701527379b00c6
SHA1 338a3119397ce02ebf3e00399d309d6d236da490
SHA256 c902e2de0114c880a3aec040a585dca4ab11d7780117849ad2ae119d558c2162
SHA512 8109237785ca6559b5b31ce8cc3276e468f8461326289058bddde0576ea35b1ff45e6f7a3e3f9b282da4a2cbd346e026cedf87d1c09471ab6273dc8fc431c561

memory/2548-18-0x0000000074570000-0x0000000074B1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe

MD5 1c749eb49c53931306d40063e1933744
SHA1 4eeec30480d14e17804e5f02164c51a4d45dc550
SHA256 314a625ada99172ff18633c2b251dd37de955109b00698c106b04b2432742765
SHA512 c5a005020628c6f1bc766a082c449878e1ccd1cb3cee192bf320147c6bbbb1a414675b514449eede09bbed4e2b542db2e92c934fe7296b72476a3a5a0f5252d9

memory/1564-24-0x0000000074570000-0x0000000074B1B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 17:00

Reported

2024-11-10 17:02

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3600 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3600 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3600 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1100 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1100 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1100 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3600 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe
PID 3600 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe
PID 3600 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe

"C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ehgogi6h.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA596.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50B84AF97A4C3C9EC86E115E5BF4F5.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/3600-0-0x0000000074B92000-0x0000000074B93000-memory.dmp

memory/3600-1-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/3600-2-0x0000000074B90000-0x0000000075141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ehgogi6h.cmdline

MD5 01558bc62c63242a6661b44b7813985d
SHA1 24ea7eab557691dedfcb6a51cb17f39a8f76b88d
SHA256 117d49e47ad475ca0add2f082b899af1b3d688af1c969594ebfe8cce43e96425
SHA512 394e5ec9cf00971f29dde548f3a1e8167b24330cfe86d1e9f8122c67fdc5d01401ef8ed25e8f8848fd466defe2f977a2b4419ba784530dd1e711a4937a0f18db

C:\Users\Admin\AppData\Local\Temp\ehgogi6h.0.vb

MD5 162f74758670b65dbc0d419b01ab078f
SHA1 4ad252fe2d4f575f703a7c5670474648a586300d
SHA256 18c984575a4a581955cba85e5351a64283e7dbd3b02628c195c675d25467b638
SHA512 02e986b1b43166398c1fe42c1c2c9062294785b0e7bb8e7a17e3fa0281273df66ec1afcdc883746a426fa2b721baf30e0f64fd4c79da23132473efb1fdc967ff

memory/1100-9-0x0000000074B90000-0x0000000075141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc50B84AF97A4C3C9EC86E115E5BF4F5.TMP

MD5 56dc57a2daa7ed585c60f7e9f5501951
SHA1 b6ea53163ab4ac7b54985153debac8b7ba1955ca
SHA256 1da41e59fb9c7c5fa25de3ed4b002bfa3c51537b8ff34e9db9f3f69a4eef9658
SHA512 e47a8924ef4132cdca8362273c6745e9307dd5d1eda6b3ddef2cc3a58ea0b11be9650176b3072ccebb55ae4b65a370da4ad378280c4b71226d5a906a90c84374

C:\Users\Admin\AppData\Local\Temp\RESA596.tmp

MD5 efc3f15e84541a00465313bb57b68270
SHA1 7ff928dd192046f3e65fa410a79f175603f43ea7
SHA256 93097f22c736695933652a5fa64aca4921568e5879725be87231ee2c1df4d80d
SHA512 5795fbc233c9d5981b5d2e7aab76fd34442ee3eec4094379ccfcddb1573c87f4b680bd6d79c7c98b4a14301803f79354e52a076524bde5db35213a8839bf7506

memory/1100-18-0x0000000074B90000-0x0000000075141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA335.tmp.exe

MD5 d79406ef03f110f019b286e354d82f67
SHA1 9f2b660dcd34cce7d0c63c87d8912a0c0c8aa3bd
SHA256 53eb93b83b06510ce861966047204e9a66c64a634d83df8c046bdc6ab91175d4
SHA512 b08bdb6eecb0f74d15afbb04f3c53de04b234af945dcba71f37ce36535c8a9d51fa4d2e92076fda30ff730f052e94c710c1719f4e8001821c20cea2d8f9a3b26

memory/4212-22-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/3600-23-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/4212-24-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/4212-26-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/4212-27-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/4212-28-0x0000000074B90000-0x0000000075141000-memory.dmp