Malware Analysis Report

2024-09-11 10:24

Sample ID 240721-ek89kswcqn
Target 611fbb528be6fde776975a1afea7ae40N.exe
SHA256 bb1d46412f17b1a47d05fd4ee3a653a9383f42be64032bd3d57f886858536e41
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb1d46412f17b1a47d05fd4ee3a653a9383f42be64032bd3d57f886858536e41

Threat Level: Known bad

The file 611fbb528be6fde776975a1afea7ae40N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Uses the VBS compiler for execution

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-21 04:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 04:01

Reported

2024-07-21 04:03

Platform

win7-20240708-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2024 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2024 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2024 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2544 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2544 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2544 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2544 wrote to memory of 2352 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2024 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp.exe
PID 2024 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp.exe
PID 2024 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp.exe
PID 2024 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe

"C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n4wcmazl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEB5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCEB4.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/2024-0-0x0000000074871000-0x0000000074872000-memory.dmp

memory/2024-1-0x0000000074870000-0x0000000074E1B000-memory.dmp

memory/2024-2-0x0000000074870000-0x0000000074E1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\n4wcmazl.cmdline

MD5 677c93b7ff00a847aeb0ae20aa451eb5
SHA1 20f7d8c54ed5cbfc38de790b8678a09a5bcdf6fa
SHA256 a3b12750642166ac6e85bd62df937d6fd4be0241c0788aa134bb77fe53c011fe
SHA512 bdf636759a0ed76a53ec2d8794d0e9a2bb425991cc60441ef0daf8c2509fd1c61bf75f9a3368eedfde0f381411d56d0d2d6216dff554f673164f56bd9185269f

C:\Users\Admin\AppData\Local\Temp\n4wcmazl.0.vb

MD5 2f89aec4975bc1c9ca02c4c6c49177f5
SHA1 92bfb6a543110dc160b75f949eaab7cf426a252f
SHA256 b753bb898de1b544d9e0520a298089f2ad431e821d7e046554e8771fa3012726
SHA512 52e94ba63796f45bb423d8ca3a6b1b7c4bb25f7d9dc7ea07d960440c14c5eae20120d5f42d6089bbf8bea934c1db44fd2223440500a956da330bad291ca6f1fa

memory/2544-9-0x0000000074870000-0x0000000074E1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbcCEB4.tmp

MD5 67811a37b2603451b0ea0395babf534c
SHA1 d90234c031b13e8fce4f470f2f906d1cd40c567a
SHA256 5cc6777b3eabde91f97e4ceb803288edab65de1ac7cbc9240132cfaf83250f2a
SHA512 2564610e2e228c89a946464c49748c90116e2f68cb87c9b8a42fe3f145dcf60b54187327212fe562422389736da32f10108d984b8e4e5f6718a44c6e513cee2f

C:\Users\Admin\AppData\Local\Temp\RESCEB5.tmp

MD5 4fbf6db671cd88924f485d110a06d094
SHA1 48ae9c3939010efb397aa810077f35525cd2fefb
SHA256 bf150e47f28a1c8397982bcfc459f33753e377d891c559304f09b12f993e2647
SHA512 180f0e0c1ce45ab908161d9f9c84b974e423960d2c657486248a855d514ecfdf4ac5393a56093a797705844532a7d81aa629275be59d9dec7c9575a50599e609

memory/2544-18-0x0000000074870000-0x0000000074E1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCDE9.tmp.exe

MD5 1e871f4d780ac75af45b07c10ccf9d9d
SHA1 7dcd9eafc9e3f10c629c8d45ccc7d11ff0848260
SHA256 64742f28f16caf56afaccd612236e9c63fde4299bdd1a0149a54db65a2726eb4
SHA512 57b3addafa810dc81f82b7ee45ee1e9cae798609c7fd19c541624c540ab2ef5bea0b2b4bc177f009a8e0573fdcaf8d62235e68a709119f3f98964c88885dcc7a

memory/2024-24-0x0000000074870000-0x0000000074E1B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-21 04:01

Reported

2024-07-21 04:03

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD263.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD263.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpD263.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpD263.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2936 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2936 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1080 wrote to memory of 4892 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1080 wrote to memory of 4892 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1080 wrote to memory of 4892 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2936 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe C:\Users\Admin\AppData\Local\Temp\tmpD263.tmp.exe
PID 2936 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe C:\Users\Admin\AppData\Local\Temp\tmpD263.tmp.exe
PID 2936 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe C:\Users\Admin\AppData\Local\Temp\tmpD263.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe

"C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gk4mqbuq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD409.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5724CE2CD6D8460397C5E2C26D56F17A.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpD263.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD263.tmp.exe" C:\Users\Admin\AppData\Local\Temp\611fbb528be6fde776975a1afea7ae40N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 52.111.227.13:443 tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2936-0-0x0000000075432000-0x0000000075433000-memory.dmp

memory/2936-1-0x0000000075430000-0x00000000759E1000-memory.dmp

memory/2936-2-0x0000000075430000-0x00000000759E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gk4mqbuq.cmdline

MD5 141d44f3bc93a4176629f1c656a8334d
SHA1 90979ca8d3867678b67fcfc647a882a075cd6f92
SHA256 9c53a33870a33fb15a3b428ef89ad1953c035b28b0585a4b50f2638e509241c5
SHA512 85fc2439597d4ffac90fe67c53865dbab73e63833c409e088fffe09fc5955af282278c567bd215d222628407de0d503ecae8a0a1eaed9e13279763fbe7b4f70b

C:\Users\Admin\AppData\Local\Temp\gk4mqbuq.0.vb

MD5 0f3c17a7492a19e01070fb45b77e7de2
SHA1 17b8fd4a9a768e93ae1f0129e37f3fc2425e9b37
SHA256 e56c9c8335c398b3d9d23476214a61d2bf6658b655024d63fd912b5505d9298b
SHA512 66b727a92288e6559b4d1bfd8ac846a01cfd8d17a7823dd5926753ab2f8f9be49f2959a1ca2ae8c787eb6139096eabf0159b29187f8e159426f7a66fc374c4b7

memory/1080-9-0x0000000075430000-0x00000000759E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbc5724CE2CD6D8460397C5E2C26D56F17A.TMP

MD5 d3e2d5cafc4dd2894f2aa2cafda7aeae
SHA1 cadd15cab019130584ccade9b388c20a804bacfd
SHA256 f07c9ac6afafaeebe9d9348c4f41a74b837527e49b0e1406e3831c3546bec563
SHA512 774f2222c1c34ae515254513a5715fc3c5bae285ab16c57f930352d569c7cc24b07131c0f51549f2bf3002376cadb38f88da995d855447304f00b210e49d5fac

C:\Users\Admin\AppData\Local\Temp\RESD409.tmp

MD5 8b4f14acd2453fdbde561dd53bd00ac6
SHA1 fbbffc943cdcdeebbf90fd7c1dd04d5f68ae90ba
SHA256 c0a5a6ebc612d62d83bda3e95f6bf30dc7a34a0a150f6283ad606c8ee197a2c4
SHA512 573cce55e2a9503b2ce58cb80fb2422276c7a206737b2fb6431dfe8d7557dfcd471b31e3890b892d3b5d88be10e79718386911919dca84449e289760433d9108

memory/1080-18-0x0000000075430000-0x00000000759E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD263.tmp.exe

MD5 be2ffb85c6469106a80add5413ae82e9
SHA1 fd399158397ae20cb9155cebc99977a5a6a584b7
SHA256 34e16e03972605b348e72e3d739b9698d30eaf1211e7ed3c9b9ea5ff9a08d599
SHA512 153391dee058662586da8f8fd39038493bc25c5ad4daeab18e1c93469b888c40b5c5cc4e454141445393cd6a6d4dd30ec33733081a18974f8bec62fe75a15ae8

memory/2936-22-0x0000000075430000-0x00000000759E1000-memory.dmp

memory/4852-23-0x0000000075430000-0x00000000759E1000-memory.dmp

memory/4852-24-0x0000000075430000-0x00000000759E1000-memory.dmp

memory/4852-25-0x0000000075430000-0x00000000759E1000-memory.dmp

memory/4852-27-0x0000000075430000-0x00000000759E1000-memory.dmp

memory/4852-28-0x0000000075430000-0x00000000759E1000-memory.dmp

memory/4852-29-0x0000000075430000-0x00000000759E1000-memory.dmp