Malware Analysis Report

2024-11-16 13:12

Sample ID 241102-tq5wnszbjm
Target dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1
SHA256 dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1
Tags
discovery persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1

Threat Level: Known bad

The file dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1 was found to be: Known bad.

Malicious Activity Summary

discovery persistence metamorpherrat rat stealer trojan

Metamorpherrat family

MetamorpherRAT

Uses the VBS compiler for execution

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 16:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 16:16

Reported

2024-11-02 16:20

Platform

win7-20241010-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2648 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2648 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2648 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2008 wrote to memory of 1320 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2008 wrote to memory of 1320 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2008 wrote to memory of 1320 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2008 wrote to memory of 1320 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2648 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe
PID 2648 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe
PID 2648 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe
PID 2648 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe

"C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p-d2nosz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA90C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA90B.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/2648-0-0x0000000074D51000-0x0000000074D52000-memory.dmp

memory/2648-1-0x0000000074D50000-0x00000000752FB000-memory.dmp

memory/2648-2-0x0000000074D50000-0x00000000752FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\p-d2nosz.cmdline

MD5 0bd3f0c472f242adbe9f83da941a3d4e
SHA1 1ac15837aa70e0f4c97f1563d1d3386166258a75
SHA256 3da7c8bdab9cf7d184dbf9c8aacd74a2b28cf4d0dd6362d3fced4353d6b3cd34
SHA512 5c34f24cc1e11f01aa375f946e2c9518a62ee5ed39ab907c5b8bd2a283ed4557290aeb189db4bf6a1e888d34c0c57fee710047bca2326f2958db031c53b44c5a

memory/2008-8-0x0000000074D50000-0x00000000752FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\p-d2nosz.0.vb

MD5 ccccf4d79d747e52c49cd4ba15498314
SHA1 7e163b9d6fb280772cf465c4f5081c05cddba788
SHA256 85e5394333523cd4026823aea08b15a6793a438644c9ea287cf6c70105da8c9b
SHA512 752e3c1a71226e6c0f9a099246c2ca28e5e4c439313b5bba3ec1003ecd54288e0cc50fc0497eed2f9e86b5dd862e8cfda5a765b14ac3bfc0500093cd28963b4d

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbcA90B.tmp

MD5 d8afe584c7c95255b7a28bc733ea97ed
SHA1 78070df32f6787fc1f3b9b5fedce3f8236576932
SHA256 a6962a76b2dc26f73a471ff24ea32967951861db8d01d605277e505c459d5ceb
SHA512 6c26852e4c60ad18c385a8cffcda20d6e2af26d4649c4c599965ed25ac32fd37786cc1220e69ddc672259ab8ce35359f3f322d6106bac184b1576911f1d09c58

C:\Users\Admin\AppData\Local\Temp\RESA90C.tmp

MD5 4da874449ee1d0fc4e58425993ba838c
SHA1 7ab3d52f52cc6f89369fee85aa842ec85066cd1c
SHA256 e0c451175689ec00a7fb41344fa220e46346f4072f7e80c98b80a685cc67a2b4
SHA512 424b5161b1ab812ea021b562336555b7236b57f81a4aff882fa5f6e1f7b8916f6fec42e1b6843c56901c61585cdb1350df27f4b89eaa63a7cc0fe37e6b0fb286

memory/2008-18-0x0000000074D50000-0x00000000752FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe

MD5 6f13acf218c3f9171e57f5947fedbac4
SHA1 2f712e582a0ae1b0dadef3c8e8ff1e81e33d8409
SHA256 55e586a58ba83e30151c30d741dacd36e772cffdb37605fe418f80e6923af82d
SHA512 12e36fa42dad362fc759f56f250deefba06b5ed84b3071f7fad6754720588247bc63182f15b0f621fb73b6792ded99d4ca711cae63da70e669353d3f29b6fcf1

memory/2648-24-0x0000000074D50000-0x00000000752FB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-02 16:16

Reported

2024-11-02 16:20

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC340.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC340.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpC340.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpC340.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpC340.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3944 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3944 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3944 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3004 wrote to memory of 3408 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3004 wrote to memory of 3408 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3004 wrote to memory of 3408 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3944 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe C:\Users\Admin\AppData\Local\Temp\tmpC340.tmp.exe
PID 3944 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe C:\Users\Admin\AppData\Local\Temp\tmpC340.tmp.exe
PID 3944 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe C:\Users\Admin\AppData\Local\Temp\tmpC340.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe

"C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6nwcdpp3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC488.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc45863C4315B246B39387B83B44A423F3.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpC340.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC340.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/3944-0-0x00000000751D2000-0x00000000751D3000-memory.dmp

memory/3944-1-0x00000000751D0000-0x0000000075781000-memory.dmp

memory/3944-2-0x00000000751D0000-0x0000000075781000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6nwcdpp3.cmdline

MD5 86e069954ac2ae6161076ca699a2ccab
SHA1 20b6e34cdb09dfc01b0fb7b2e8cef73565c687c1
SHA256 28019f56bfbe372f6698695bdb886eeec6035ae342abec2f56039da1f2f80c89
SHA512 9de6e73fc2d435aa3a7d2614de69cc012c301d46f5181f1e1f1229d81c8e9237f97c0e2df1cb4b23c54d95605a7db561f00650102ed04b2e342e6c8982fd6614

C:\Users\Admin\AppData\Local\Temp\6nwcdpp3.0.vb

MD5 480bfdd5c3cb690856ae5ba9ef96eccc
SHA1 60049dd022c7af33ba5ba2a85de2ff99d7e0a52d
SHA256 ed48d45ed61709ce6ad832284b124d74241acd58e9cc61c31ca9578808306eaf
SHA512 7e588815940f9d1c5df3943db6bded100ec449b756618192573aeba8d71cc7ae1126deb1ea13b406c6b0f454f76a479fad11246ef74c60577d7d44ddfc7778d9

memory/3004-9-0x00000000751D0000-0x0000000075781000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc45863C4315B246B39387B83B44A423F3.TMP

MD5 75cf601f8f645350430a6c3189af8633
SHA1 40393e65fe21cea5d5ad29370839f13af9d7befd
SHA256 898336b66fc574c231c2e742e59ccc9f302ad112ae331ee9a67641348734093f
SHA512 ec502bd48f9ff52168800485176850e1217a67f89ebd54d29b989a7f1132b483daaed8e0510091d2623d1ed39eda9418f97922bb64df84ee954399678c403b63

C:\Users\Admin\AppData\Local\Temp\RESC488.tmp

MD5 6d754e907b5e03194b49ca30af7cd351
SHA1 92d0b3d5f6823b7f40484575ce598424708b7017
SHA256 cac545683dfdb884cc1cc31c87732e6114da5faf50ac016636935b60a56ab99a
SHA512 c516e0610cb0de51fa5bca85f1939429bc58ce5944853e09116aaf4ad5a6a9437256448db3eaa66979c7a790ea34cc8a3667c158e817659d723a9cc1c86d71bd

memory/3004-18-0x00000000751D0000-0x0000000075781000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC340.tmp.exe

MD5 bd69cc0bb01e774c22fb4bc28be8fed2
SHA1 ac724794d538bea2b22aa2baf48f842f4f76ba84
SHA256 1ff164565e17dbe444497b62d9f22794e00b79be3798fb72f2155f17ed9a44ed
SHA512 7625e9c5888c27479844ee3e8be5198e25c237ba03da752cc9f9ac155ae4a30beb59510a48966a9a7a362c03720d62ed21176d7a81eb1a12b983fa121cdbba21

memory/3944-22-0x00000000751D0000-0x0000000075781000-memory.dmp

memory/2188-23-0x00000000751D0000-0x0000000075781000-memory.dmp

memory/2188-24-0x00000000751D0000-0x0000000075781000-memory.dmp

memory/2188-25-0x00000000751D0000-0x0000000075781000-memory.dmp

memory/2188-27-0x00000000751D0000-0x0000000075781000-memory.dmp

memory/2188-28-0x00000000751D0000-0x0000000075781000-memory.dmp

memory/2188-29-0x00000000751D0000-0x0000000075781000-memory.dmp