Malware Analysis Report

2024-09-11 10:25

Sample ID 240723-2g6qlswbjd
Target 17476bf322467a2315505fc104781270N.exe
SHA256 f9c80082fbf214dd44ef0577fc1d08ba64b8248daca56966561fd09345cb95aa
Tags
discovery persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9c80082fbf214dd44ef0577fc1d08ba64b8248daca56966561fd09345cb95aa

Threat Level: Known bad

The file 17476bf322467a2315505fc104781270N.exe was found to be: Known bad.

Malicious Activity Summary

discovery persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Deletes itself

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-23 22:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 22:34

Reported

2024-07-23 22:36

Platform

win7-20240704-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp69BB.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp69BB.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp69BB.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp69BB.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2824 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2824 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2824 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2176 wrote to memory of 2220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2176 wrote to memory of 2220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2176 wrote to memory of 2220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2176 wrote to memory of 2220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2824 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe C:\Users\Admin\AppData\Local\Temp\tmp69BB.tmp.exe
PID 2824 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe C:\Users\Admin\AppData\Local\Temp\tmp69BB.tmp.exe
PID 2824 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe C:\Users\Admin\AppData\Local\Temp\tmp69BB.tmp.exe
PID 2824 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe C:\Users\Admin\AppData\Local\Temp\tmp69BB.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe

"C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y5nmzoi-.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B80.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B7F.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp69BB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp69BB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/2824-0-0x0000000074681000-0x0000000074682000-memory.dmp

memory/2824-1-0x0000000074680000-0x0000000074C2B000-memory.dmp

memory/2824-2-0x0000000074680000-0x0000000074C2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\y5nmzoi-.cmdline

MD5 5a0ad7b1cfbcad51a3399fbc40db9baa
SHA1 4d9eac089ca4de8651bfd16826c47c6a275a41ba
SHA256 6c05c22667f040f8bdf49390e2d7e15120dd8147e919abd4ea7be2d3efd60eeb
SHA512 e24bb780d1f135eeb079e3c264bb49fe10d799ccddab129aba102cc0bce071d09b5115355843ec9e4bdcf736818148c679c4f94a49274226bbbe8860761fb30c

memory/2176-8-0x0000000074680000-0x0000000074C2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\y5nmzoi-.0.vb

MD5 8fa02b04697716ee6c098dbd5b7fba33
SHA1 6f257077bfca3250abfa7db9e51a53bcca076cb5
SHA256 2446386976f37cb2d1157d959253447f06624b470901ce92537411d530a1fe40
SHA512 95f55eac637472dfed800e7ded129bdfb3806048d78196c9d1a4cd931adbe775efad99d247898261dc7b8a9160f6a425f2c929d23bf6f2561253669f7036d0ba

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbc6B7F.tmp

MD5 4ca94ff9c6ba86d43be190a2b8f837f2
SHA1 0d74dcb859251f313a40896ae046cd465c708503
SHA256 40786640f4a525248caed621c7795546c6901e6e8c9e27ba6419ab8b8f596b48
SHA512 af0a5a3bae4ff67c1b3ba6731b6602e8125f8eba7b91a73acee57906a2fcadef09cab7ae8fde9f59b70fc9b32a1ede465394b6618a26f8f65958fb9d529d3b9b

C:\Users\Admin\AppData\Local\Temp\RES6B80.tmp

MD5 ed6980a3348d9ddcbfa1dadc72c0d5aa
SHA1 92c3630f4fb5246809d6d38a16a87c0349f91c3c
SHA256 8e1da166858e7982c76fec4b94c2a7355c1b13eebc626ce8227ca27f9f987bfa
SHA512 11b5c4a2fbc3bfb68d97f30c2ccab0443ad73908ee5e87d578257840a9e0391724482b88500beaae43e141aa9e7cf7baa54223f642ab8022bfedb7025d77b1c8

memory/2176-18-0x0000000074680000-0x0000000074C2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp69BB.tmp.exe

MD5 096e3ca4d00abbed9aaf049c91d7ceb0
SHA1 658f6bdbd8919c19aed754df2660e0851570fac9
SHA256 ba8834a8e28faf2c9a114682cf86fef11073ce21513e27fe85ca35ec5cc323b1
SHA512 5fbef2ed1ca8d1b088e313d923ca95f9c2066ac3d76d4421cf1839b406460bf81f17263fa2e8159d2acd1b66b8b73267e8f2650cb7c397d21cd76e8cc9ba1103

memory/2824-24-0x0000000074680000-0x0000000074C2B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 22:34

Reported

2024-07-23 22:36

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6B6C.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6B6C.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp6B6C.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp6B6C.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp6B6C.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1604 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1604 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1308 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1308 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1604 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe C:\Users\Admin\AppData\Local\Temp\tmp6B6C.tmp.exe
PID 1604 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe C:\Users\Admin\AppData\Local\Temp\tmp6B6C.tmp.exe
PID 1604 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe C:\Users\Admin\AppData\Local\Temp\tmp6B6C.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe

"C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dhmz2_3v.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE99743E989364EC693CBEEABC95970B2.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp6B6C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6B6C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/1604-0-0x0000000074B92000-0x0000000074B93000-memory.dmp

memory/1604-1-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/1604-2-0x0000000074B90000-0x0000000075141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dhmz2_3v.cmdline

MD5 37555fead398292d815c8f7bb6cdf27c
SHA1 0b23317dd88d8a144e6d6f06a5c22bf3fc3a7f77
SHA256 368ace56a2691a0912bb4df2206dc2369a4478ade45b8a7f0b48ee5265745964
SHA512 26abed91282ab010358a73e34c6304b8d5a2ad7996445025a2851dfc19455ab669a9d2dd7b47c4c6988aa61aa019a5a005fe36f28b8c09fba50b312e851287d2

C:\Users\Admin\AppData\Local\Temp\dhmz2_3v.0.vb

MD5 b1627c05d89c9bf9ab9e2a69f6768f4b
SHA1 00be84a04809e91c957418910b384a359b90a3eb
SHA256 92ec31ea67c4c24faf55ad47ea5f86ae9a62d58366a13e20d52e26868cb19f2a
SHA512 d72970f521fcd52ce6e08dc9b6eb1536535e4f012fa774d60e57b0bbb220e20d68ed885237ab8a424e37643ee0609026ab7f0332fa5b877d1efe8553a32e08a2

memory/1308-9-0x0000000074B90000-0x0000000075141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbcE99743E989364EC693CBEEABC95970B2.TMP

MD5 69dcb2e8f03b89867e9c81656709ecf5
SHA1 4f57e855d063b400f8ed7b266437ce7aade42202
SHA256 6b2ad9e0cd278f03f740351210ed751c333b3546fe7da5b9f2e5e4caddc7a8c9
SHA512 b7ab65bbaf14ea3cab0d1fb701de6fd4cdcc323417d520f29e12d8584d91406b9f2608c361b68049380211f7d8bab226296ed90a137fca8e102f0781a41c8f8b

C:\Users\Admin\AppData\Local\Temp\RES6C66.tmp

MD5 a4b7374ab2bed36cdf1d42f75421921a
SHA1 442fe95023bd8ceb4a21800c6ba745c455edca38
SHA256 1f531ccea22247fc70f2fde3ac084ee2ed144ee2fdf8b6352b1b910db2e07d5e
SHA512 5e89bf1d33bd22c45d70e3367120657145b7fcf017f930d9a06ed7305f24582d7f342d017ed329f0d96f7ed109b129542a8bbb663fbece1cb392f2ad1bf60818

memory/1308-18-0x0000000074B90000-0x0000000075141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6B6C.tmp.exe

MD5 a89e5c60ab0237ee36f256e5552182f8
SHA1 33a9879e91b7477f06a9a9e63f4f676bf3ab735b
SHA256 a2bd26a6cb5f96b757f2ad469dc6014537d133054a7891779d64de5c0fa41cb1
SHA512 e970b328c5597605ee2940907a57b24f08aca805f3abb735edbb3678352ea92cfb3a3f9ee8c41efe219d610f3bd562484a0ad9733b8615edd07ad6c71eb65f03

memory/1604-22-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/4232-23-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/4232-24-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/4232-26-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/4232-27-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/4232-28-0x0000000074B90000-0x0000000075141000-memory.dmp