Malware Analysis Report

2024-09-11 10:25

Sample ID 240726-gk9w8atbpc
Target 86ef2a66c72c1d358578f09b15ae4dc0N.exe
SHA256 62fff19daf26f0eabeb7f64b8261ce206b5568478bf26e56d49b7c6ecec26feb
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62fff19daf26f0eabeb7f64b8261ce206b5568478bf26e56d49b7c6ecec26feb

Threat Level: Known bad

The file 86ef2a66c72c1d358578f09b15ae4dc0N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Uses the VBS compiler for execution

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-26 05:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 05:53

Reported

2024-07-26 05:55

Platform

win7-20240708-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1964 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1964 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1964 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2152 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2152 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2152 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2152 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1964 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe
PID 1964 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe
PID 1964 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe
PID 1964 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe

"C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yoofl24i.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4D5.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1964-0-0x0000000074B41000-0x0000000074B42000-memory.dmp

memory/1964-1-0x0000000074B40000-0x00000000750EB000-memory.dmp

memory/1964-2-0x0000000074B40000-0x00000000750EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yoofl24i.cmdline

MD5 d58c2d85b3221aba35a70e6dbb2d3556
SHA1 59d542f8e6f18ee83164ce70b2c665c61f5fb3c1
SHA256 da77c78aba9d5bd4c7477f2cc580081510372d021509c512cb9a1597902c81cc
SHA512 ea280e7977f39b8d6be0b270b8f788db7041a4003c0f56aa59dab59adce4506475fb970448e45f07d4b407b70cc378bf1162ac08f4d8303da5a118019dd73d9e

memory/2152-8-0x0000000074B40000-0x00000000750EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yoofl24i.0.vb

MD5 02eab4d5534f75e03c25ce769b100846
SHA1 e328c8ca26752f4cc9d6ac7bb9299f159796f0b7
SHA256 87ab032143d3e666acb3179eca11b907632fcd2895ae9e31a4c39cd95a76dbfc
SHA512 8f60f28f1fe188a7d0770e3a895e0e442650e347f122ac77689b22dcf2879335f9f3a1621c24151a679d2fe02937d24d57d56175e42ada24de3ba286d48565f4

C:\Users\Admin\AppData\Local\Temp\RESC4D6.tmp

MD5 a2cefd9235e3fa8442dfb857c31fc3f8
SHA1 de7c6b93cbea2f7fc6b79a60f9b0860bfc1e1670
SHA256 6f8af295f02ef972ff8790040f7676b78f04a0fda3b2284261b1c4294529587a
SHA512 f61316becb999514688c3c21e79bead2a86d4c0c9298b8d2e5e18b5e613adc7433ca68941d495a0d3923585998c9ede01afab3b2f46589888be0d01e6435c142

C:\Users\Admin\AppData\Local\Temp\vbcC4D5.tmp

MD5 1b497b29fd75560f11ea0d01594e8fa5
SHA1 fe038da1ca9abc592f2b8481e44d58737f3c8ac9
SHA256 db291966b9a3f83aadb65872fbd9f0bb812a9c64042dd4ab3f1fdb0ecef8f7c6
SHA512 5e6789429ce5484255e0c763f7bf271fcaeec66f0aa82fde62dc583e6e85f438716c4db25aefa174efd250c8eec581a377a3f507f426b356935d3653e6c5a916

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

memory/2152-18-0x0000000074B40000-0x00000000750EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe

MD5 a9a1d1c1c9cf674304f76d56adf1df64
SHA1 ffc93cae555fe3b054f05aecbeba5694c32d353f
SHA256 e5a6bc460b8e9d60d62626d49c4172589a85af84986fbc1a1ad179c55ba35bd8
SHA512 2487f81e227327f98ffb701682dfda7d019cc82e877d8a11424955c86e5cd8a618c0dfa92a4ccdb266e305b4a8fd019b702e927f2e2b68071144ccbcbaa512f8

memory/1964-24-0x0000000074B40000-0x00000000750EB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 05:53

Reported

2024-07-26 05:55

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1896 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1896 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1896 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2872 wrote to memory of 4644 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2872 wrote to memory of 4644 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2872 wrote to memory of 4644 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1896 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.exe
PID 1896 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.exe
PID 1896 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe

"C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mnvkvisg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA39CE6784D6436CB1418C36667E4817.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 8.8.8.8:53 39.58.20.217.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp

Files

memory/1896-0-0x00000000751F2000-0x00000000751F3000-memory.dmp

memory/1896-1-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/1896-2-0x00000000751F0000-0x00000000757A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mnvkvisg.cmdline

MD5 9792e93a8cb543e96bf1e342a559769a
SHA1 71ac2ab34ce9236a47f9f28648f0c0dc89bcb899
SHA256 9f237f80dadf3cfd1a4415e1c7a4656563f6e388713af0b71474884ba5920b90
SHA512 0a359bf249f02b92a1a21739cf61da7f5d9eb4234f6b82a1f4a0a42cc7e7eb30f9a070502344a83117d3f92de7b5669ea64baf9aa8dd7eaa53f73b56833d0e02

C:\Users\Admin\AppData\Local\Temp\mnvkvisg.0.vb

MD5 3bdeb93639f1c04d726d7934d9417405
SHA1 74829e5750c7341eda8286ca057a0bd0fe776d90
SHA256 f2de0bdd14e486740bf4a1f26e497b41dfee60adee8d526e81c420c59e6734c2
SHA512 c1dd215cc0fa14d7814afd475cbde9d63f9e1cce3c413ff784d4460ab0a8c6d82f347320c2e08b3136ef4c472a1ad4e54500b5ca4ea900b88d5f84170f01337b

memory/2872-9-0x00000000751F0000-0x00000000757A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbcDA39CE6784D6436CB1418C36667E4817.TMP

MD5 ecf1160d1e3a7339779fa33ee4761cdd
SHA1 1c0ebd97e4e63176577c5d385b3d99371c7afcc2
SHA256 5ef8ca7416c3a5a7a015b70253941259ab14e723e6d54b0ea8647d05605a0edb
SHA512 2f9e58a5590e1425850b8de5bf4a1d9ea8b2d6b48c2c5b0e8167ad252b2c828f852370ee46bcf6619d4f44cb97ec002889ab8330e316e59cbddf3bd7abe43965

C:\Users\Admin\AppData\Local\Temp\RESCE0E.tmp

MD5 7b16cee4e08730bfecaebec3c5b009e5
SHA1 134e6d8ad4003244ea077faebfc60f6ebf1b6ed4
SHA256 25543f974acbc0ada31cf0fbd0ba5cdb238063f9b7c9c94326d4ab14184f44bb
SHA512 2ebcc43656f65d1cfc36879650d8ebd81c7773edbe3f60904c177d2cdc9d14e06f2de5b0f20f946ef292d1d488bbee93015861937ce8f6e2f955b584205e6b32

memory/2872-18-0x00000000751F0000-0x00000000757A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.exe

MD5 b5b496689008fa599b16f7963a14eca6
SHA1 b8dc95a762467ac24cb19a0d158cb091d0574b5d
SHA256 2dee8a04fce6a96a31024f672030bad8b704f1f44deda4192f97fc5a27525ee8
SHA512 daf855fa0bfdc61e972027046eadd245f48e8efbc22c8bb04f25746fe6f5b72c35d97d26dce3e6192e1b5371f319747ca01f6fec56d03ec9a270653ccc63d953

memory/1896-22-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/4500-24-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/4500-23-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/4500-25-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/4500-27-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/4500-28-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/4500-29-0x00000000751F0000-0x00000000757A1000-memory.dmp