Malware Analysis Report

2024-11-16 13:12

Sample ID 241103-vky2lsylaw
Target a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N
SHA256 a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673
Tags
metamorpherrat discovery rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673

Threat Level: Known bad

The file a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Deletes itself

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 17:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 17:03

Reported

2024-11-03 17:05

Platform

win7-20240903-en

Max time kernel

99s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp80C4.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp80C4.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2800 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2800 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2800 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2140 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2140 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2140 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2140 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2800 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Users\Admin\AppData\Local\Temp\tmp80C4.tmp.exe
PID 2800 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Users\Admin\AppData\Local\Temp\tmp80C4.tmp.exe
PID 2800 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Users\Admin\AppData\Local\Temp\tmp80C4.tmp.exe
PID 2800 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Users\Admin\AppData\Local\Temp\tmp80C4.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe

"C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5ugvgxjl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8190.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc817F.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp80C4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp80C4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 bejnz.com udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2800-0-0x00000000745F1000-0x00000000745F2000-memory.dmp

memory/2800-1-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/2800-2-0x00000000745F0000-0x0000000074B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5ugvgxjl.cmdline

MD5 619eb01b747055ebfa0127853e776ee3
SHA1 30040eec3ee6d9cf7d0639754ff1f73570aa869a
SHA256 165b5ed484380d235f18c1bdced61e8b22724a7cbdb9eee3928ecc83353be001
SHA512 5524d1ec2bc474d98607fd0fabe51dad7a00d5af866c7caad3c9ff933a1523d5279dce520f098d24851d39bc1a7ba498bbce4a63ce911a0cc1fe4c8b01fafbd2

memory/2140-9-0x00000000745F0000-0x0000000074B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5ugvgxjl.0.vb

MD5 80e3ab14f3065d88eabb1d8368392b90
SHA1 b977ca479c82b025336fbedf250cdfe35d3fbd9c
SHA256 13ea8420467132e0d4d6159aff69403fc9afb2658b426821726ee4e9a5a0bcbf
SHA512 e5ddc5a0549aa1cc06a1760e6ac727a35b3f7fc1635803c2668d337c51fe70faad3f174a3211b1c85a7e79600d5732dd5316c36e9356768aa0ab79de637a7530

C:\Users\Admin\AppData\Local\Temp\tmp80C4.tmp.exe

MD5 e6e64a6fef178a631060dd90698e4d2a
SHA1 d7dc23bf8f5acfa27df6bf47fbd5fe7d30dc05fc
SHA256 791de2d40d422f2260a9216233b0e73c6ce8edbf6ea730ea8d1e03852da5af22
SHA512 ff14bef7a227f2f3deedfcbaca72637782b31d0602ccb8cd96d5d10c6cebda12cc7745dc4a28f8e8c62313d48fddba36dbfd746cccfd7ab5eb7acfddefcf6202

memory/2800-24-0x00000000745F0000-0x0000000074B9B000-memory.dmp

memory/2140-18-0x00000000745F0000-0x0000000074B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES8190.tmp

MD5 71e4268e4e936cc52c1af5bcda153af0
SHA1 cc3c03f56d9da11edf3b58454e320d682e4a9cbc
SHA256 03e4e62d53f872131e604b2c82cb4a1053c942a5ea5dad9af98af0f47c4b2acb
SHA512 ebdbeb4cd49f12ce012223ac8b0b4d671ecd7118658b18083ed011336f2100108651999ac979bf99f87534714171e66eab95ae52a015701f30c66214e9e4b8fe

C:\Users\Admin\AppData\Local\Temp\vbc817F.tmp

MD5 59dd9afb08711b29a1b2204376cfc5d2
SHA1 58682ac1eb10a5d26a34c3d8ea8f2c0f303c8360
SHA256 b309f408f2102200ef30723525145f51ec2825f2a73e24e2b37f96d249766ef5
SHA512 c8c0295fe1b614b7a6337a7ad014ef517466951b1aba5a841930c2c1afb37d4a8305ae8486f1fcbad7c90b3b78ced94efb14e87596e27c355f20b4e76df34a28

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 17:03

Reported

2024-11-03 17:05

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1104 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1104 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1564 wrote to memory of 1152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1564 wrote to memory of 1152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1564 wrote to memory of 1152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1104 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp.exe
PID 1104 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp.exe
PID 1104 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe

"C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jbyzy_r7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CF0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc758138F2E1324547BDC2E7C2A7A7622.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 165.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1104-0-0x0000000075162000-0x0000000075163000-memory.dmp

memory/1104-1-0x0000000075160000-0x0000000075711000-memory.dmp

memory/1104-2-0x0000000075160000-0x0000000075711000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jbyzy_r7.cmdline

MD5 5d6473a9033e16112b77b2ef33258d31
SHA1 6cead00312251ef5daea87205e46dda5471f52f4
SHA256 e5de4656bab4af785195a49e9ae0319c830b64290c0f4b5d04c96af7afa1b18e
SHA512 2dcda416ea716583bccaf4711f86930f3a6934ab08a31f72f4d7c5e379abf74554eb6499e5b1f46aff99b5b128601e019877e06b10cc431d5cb8daf5991e74af

C:\Users\Admin\AppData\Local\Temp\jbyzy_r7.0.vb

MD5 f0ddbcd87f44cb4a02b207019a381b37
SHA1 a4c706ecbe7c97453c2f9a09faf4cfaee1c35c3a
SHA256 2b3aebcc36d37c5fff6f53d036a8c4a62b6878292afcca531bd46d961e858096
SHA512 5cd4ee1cdbc4bcac616c47b5d423fda3251cb91b9619d45031ff3be0f20af646d0099b1fb1a6eda6d72667d4055250643c05baeb932796ec81d42a14229ec813

memory/1564-9-0x0000000075160000-0x0000000075711000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

C:\Users\Admin\AppData\Local\Temp\vbc758138F2E1324547BDC2E7C2A7A7622.TMP

MD5 47778c5a7ebcf0b22f13b1f20b2a5b22
SHA1 45e605454d88ac1f508593f8b2a9f2cbf0d955f8
SHA256 c331eb8a5bcb9dc92c50f6fd433eee6508daf69b91529000b46e4f59408e851f
SHA512 51737ccacf53dfbd9be9d00744da0521e81e690c0f5cda0846092539a66ed8d62350559ed212d550335edadbed6556d70ce07fdc39f89ce33ab7205c4f190643

C:\Users\Admin\AppData\Local\Temp\RES7CF0.tmp

MD5 742b7c53d6c6e23b4d877f9a0fb7847a
SHA1 ad9841f82fe77abf5bb48108ed6049fcab19839b
SHA256 93afeb76fe1395cf7c2f99263abc3e1e771c17165577e74fa26e3ecc6ee0d1f8
SHA512 690fcdc6ff0b7b3a2c69b787b775aa162d90e7b0fa1d8ac9b8e67ee3f304287a5b754e441aad8e6fbeb6d1e6980d734d46b76a5868d89f409f4ea6653fab5ee2

memory/1564-18-0x0000000075160000-0x0000000075711000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7B3B.tmp.exe

MD5 9c8036ee5b66d2efcc43f65451589458
SHA1 e27339630b9822b0ecec7132b4a1a6402226da2e
SHA256 02e16f9572e2c1dd2c3b51565becfc0d475604c06ef576c256b1c5eb63469ec9
SHA512 720ab168dd7a8ba7e6433a4d5b6789852b53bab86bedd7b89ee31f8bf2a73c71a118e8cf952de5a1e0c4771acedff0b60f1e591b6a173cd2cde26c11ba419e3f

memory/5028-23-0x0000000075160000-0x0000000075711000-memory.dmp

memory/1104-22-0x0000000075160000-0x0000000075711000-memory.dmp

memory/5028-24-0x0000000075160000-0x0000000075711000-memory.dmp

memory/5028-25-0x0000000075160000-0x0000000075711000-memory.dmp

memory/5028-26-0x0000000075160000-0x0000000075711000-memory.dmp

memory/5028-27-0x0000000075160000-0x0000000075711000-memory.dmp

memory/5028-28-0x0000000075160000-0x0000000075711000-memory.dmp