Malware Analysis Report

2024-09-11 10:24

Sample ID 240724-hvjy8awhmf
Target 5e33b6299facd682436d9b0d84ad2730N.exe
SHA256 6ea273d6ad80b5408e1dcc62bd272160101aa68f1379bc7251b8de6b96ede5a7
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ea273d6ad80b5408e1dcc62bd272160101aa68f1379bc7251b8de6b96ede5a7

Threat Level: Known bad

The file 5e33b6299facd682436d9b0d84ad2730N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-24 07:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 07:03

Reported

2024-07-24 07:05

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2996 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2996 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2996 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2072 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2072 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2072 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2072 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2996 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe
PID 2996 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe
PID 2996 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe
PID 2996 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe

"C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dnbfiz66.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8D9.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2996-0-0x00000000741F1000-0x00000000741F2000-memory.dmp

memory/2996-1-0x00000000741F0000-0x000000007479B000-memory.dmp

memory/2996-2-0x00000000741F0000-0x000000007479B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dnbfiz66.cmdline

MD5 a2adfe8b0a1340d941ef52661d410ea1
SHA1 3750916d5ee840eeb4d71610492b017de1b4afaa
SHA256 64a496fa7eac6321c6729c4020dfce3ff96834a18572c4b8b942ef95289afb37
SHA512 781c5b9048fa10267dcf45d79132b43614795a0683efb2f0da8d563c6cd638030a3282f5ca28ca45b01281c5c8d8a7a1c045940b768c8c481820d610477b76a7

memory/2072-8-0x00000000741F0000-0x000000007479B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dnbfiz66.0.vb

MD5 200224afc4551840ab039259a1ca1d19
SHA1 6c6666e4d3c71ed35f69959beb7c0eecb9cfadc9
SHA256 5c7cdfa85ab57890040cb44c0e047ebba917c9d0b8214e8311684ddbab09d1d5
SHA512 2ac20ba569a20992f0652b3566295ad887bf96426b15a2eb173fc07bc79b8729357e7cb50aaaefe55e2dced354b04a388c665c2a9fe5f6a8b8dfd962fd68aab4

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbcE8D9.tmp

MD5 b302d62d43d996b7d82cb7f58bcae392
SHA1 c07717723f70117bd89db4ca14592aa3f8d4027e
SHA256 54b381c18fc9128636cb4a6c0d155971089bf40fe489c772899060f34cd12c69
SHA512 5054c8bc1300570016fcae5ef9ce1908d0889025e513e72a302dba06e140661fdd4d4ddff37ffe9c35d21971da2aa8c94d26642f22071fe2ea8542c122a11281

C:\Users\Admin\AppData\Local\Temp\RESE8DA.tmp

MD5 b55da29f61f2bd14d2fcdacae545486b
SHA1 fbac7618dd2b1f78fdb05bff9f6a2685d62378dc
SHA256 7f7378f5c354c294ead0e0e1cff77536e1841b94cfdf54cee4fda01257c88724
SHA512 2edf153d24f827411ae3b1839dac5f055dc07db6a6667a38ac799cf9c16eae8ea45d3b973a0afd6ff4d5a27a3b01b15240da4c7ce2fa07290b9af72cc5df1c4d

memory/2072-18-0x00000000741F0000-0x000000007479B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp.exe

MD5 916935bae129c6a455339f510d7b3dcb
SHA1 d82bc14bb25ccc6b3a020ad85a861f2754e63d1c
SHA256 961a80321e2d200f47b35deca044c1ea8746504b78995576021b77554aa84438
SHA512 18da3dadf3126f9cb75109dc292b71094111432a9b81aa0f1fbdc2a0b38eb032ed2d51469659a452fb443b6eaeeca2e3a2ae46ddd1d8903ab2057ae380ea18fd

memory/2996-24-0x00000000741F0000-0x000000007479B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 07:03

Reported

2024-07-24 07:05

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8D0D.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp8D0D.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8D0D.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8D0D.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3104 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3104 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3104 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3256 wrote to memory of 4880 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3256 wrote to memory of 4880 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3256 wrote to memory of 4880 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3104 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe C:\Users\Admin\AppData\Local\Temp\tmp8D0D.tmp.exe
PID 3104 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe C:\Users\Admin\AppData\Local\Temp\tmp8D0D.tmp.exe
PID 3104 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe C:\Users\Admin\AppData\Local\Temp\tmp8D0D.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe

"C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hp3l9jfb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E55.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc18AE8C90587946FA894A5C492F851CCC.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp8D0D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8D0D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e33b6299facd682436d9b0d84ad2730N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp
US 8.8.8.8:53 udp

Files

memory/3104-0-0x0000000075292000-0x0000000075293000-memory.dmp

memory/3104-1-0x0000000075290000-0x0000000075841000-memory.dmp

memory/3104-2-0x0000000075290000-0x0000000075841000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hp3l9jfb.cmdline

MD5 f200fd9a02dc6896f4c60a56335cd05b
SHA1 89ecd45c645acf42436775d7f3c381143853a0f6
SHA256 2015165036304950858e9c48974a2a41386f5d2e8519b73cfd73728cc9158acd
SHA512 5d8a3ad6d79c317685bc3d3ac87d61392ad400f49566d51a322544bafcbe6caba695990bc2a7286cc5362d6e079a1d61634fc445494fea72849d39f2d22b8d5e

memory/3256-8-0x0000000075290000-0x0000000075841000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hp3l9jfb.0.vb

MD5 9d62b2836c67038bf5c6df7ca05d9cf9
SHA1 8f3d6808eb9cd4863ad1d0a91b6d696249ae6755
SHA256 8862c84bc6f71aa5dbf658ebcd4e88aaf7fbfeb46a0a70f2319fef3953a421d8
SHA512 012bc0ac4c7a4dab0d8bfd9370cc2263bacc2be172c708a6f5cdae718ad41a61e54a3eed606e0ca56b21b4d2e6cce8e85a7517372607652b3924d3383fa83b57

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc18AE8C90587946FA894A5C492F851CCC.TMP

MD5 4f8bd209e257d7ad68f28fc182dd934d
SHA1 d61df22e57a71e673ee552f0a518970873120b16
SHA256 43862525f0243afb96dbe596c0c20b7de912c2a4003a85c8cda8b0e83694047c
SHA512 d42b04fa0e80f98da8b096aa7256ce10b61f83f31d2324772192bc1fbbfd15d1cb70dd40b8bb34db7a6a1d1da33cf125a4288c1862c1efdbdb3b3e916feba4f8

C:\Users\Admin\AppData\Local\Temp\RES8E55.tmp

MD5 40fa90433f24d16b9452b2449aa9456a
SHA1 3723cdb8fcb6723433d46af15e66ee65862529b3
SHA256 b6688a7d4438d03d3c43c2df65a1a892075dcfa57879c39e4ac6857d5f0bc228
SHA512 bff5499de7e41ece774bd65877915eeefe959f21fa32070b3eecf1c5fc81b405c8359cbef5869734c84a83ccb1d419f711435c8cd4dd975f2f5bcc69e433c8ea

C:\Users\Admin\AppData\Local\Temp\tmp8D0D.tmp.exe

MD5 d6fc93ddf946d7540c75e4f47e64ed8d
SHA1 5bbf857384e87aa59f92c849b5e79aab2d630a48
SHA256 a3f75b343e69a970464cc3b64025a7703528582ddb7bdd46f064accab33fa2ee
SHA512 09413bf8e9c73d152716f799f8bbca4da246b7bb14208fcd74c8fb59ea67d177f15ed0617ea18fbb3fc3c96475e084509e75f27ac59360f1be6031c0f38d7828

memory/3256-18-0x0000000075290000-0x0000000075841000-memory.dmp

memory/112-22-0x0000000075290000-0x0000000075841000-memory.dmp

memory/112-25-0x0000000075290000-0x0000000075841000-memory.dmp

memory/112-24-0x0000000075290000-0x0000000075841000-memory.dmp

memory/3104-23-0x0000000075290000-0x0000000075841000-memory.dmp

memory/112-27-0x0000000075290000-0x0000000075841000-memory.dmp

memory/112-28-0x0000000075290000-0x0000000075841000-memory.dmp

memory/112-29-0x0000000075290000-0x0000000075841000-memory.dmp