Malware Analysis Report

2024-11-16 13:11

Sample ID 241105-crkhpavmek
Target a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717
SHA256 a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717
Tags
metamorpherrat discovery rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717

Threat Level: Known bad

The file a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 02:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 02:18

Reported

2024-11-05 02:21

Platform

win7-20241010-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2044 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2044 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2044 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 832 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 832 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 832 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 832 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2044 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp.exe
PID 2044 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp.exe
PID 2044 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp.exe
PID 2044 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe

"C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vgqtzoqm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC93.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC92.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2044-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

memory/2044-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

memory/2044-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vgqtzoqm.cmdline

MD5 cae5baf3185884ada003ad519e54241f
SHA1 a949f72a347ff135209604a5eb8ecb3839357db6
SHA256 b525065aaca49859a7adf0a21347ea2a496a099fb0b4b88e04bcd2188d1a8c53
SHA512 d5e544c1a55c4927e4c39cb6fc4195e6d59e2acfaa653b7b3947ec0f99c0c787bea772f577a01511f7031a8d89fc966c1c617f1ad4c8c1a777de306427077ecc

memory/832-8-0x0000000074B30000-0x00000000750DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vgqtzoqm.0.vb

MD5 25e8765c450627d1d61562a2e7ee5b7f
SHA1 fd79f9ad394d5f5a6e100672110fbbe3f47b2015
SHA256 215ceded248be38b47964dc2e62f91f3e54d798a75b6d613deeb74ecde9703c8
SHA512 13a12e2066a31513587a87e3be780210b977d7a27d7a63d960582202590bbfe90e1edec26d4aee1d82831adea3452f887dbd4cf0334f65a1204de9244293a651

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

C:\Users\Admin\AppData\Local\Temp\vbcCC92.tmp

MD5 a82aba3387c64a0534fab917507ad27b
SHA1 9eb37512dadfbc29c6d9b54c581ff71be4ba01a7
SHA256 a6b6dd9184b620ee61d9b0052057f01f3b27f73c4ae7af09968406162905ed8f
SHA512 20cafcb5cbdb9114f2c0342cf32bc6417a7175925de99a7e7fad2c8c46c01cac82726721bcd3e2a4b513efc249c35d4fd6d4a852d328be88176c037db0d6ace7

C:\Users\Admin\AppData\Local\Temp\RESCC93.tmp

MD5 fc252449eed04522ae6d45d02b4b6dfb
SHA1 6c1e4bd0b8a35aed58744bd04f64654a334c5ea3
SHA256 20918fd1a554cbbd4f0be9d9032008b96500358330c55b7158a8d8a106cf1b8e
SHA512 38f1c3b4e9293a11cf0017d03467e7959e25a06ffd445e8399fe2bd5d8498f449b1c9b9255c02b2ef5e9fd25ca1e7fe2371e462834de65cadbf7d5fee56868e2

memory/832-18-0x0000000074B30000-0x00000000750DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp.exe

MD5 92cb6e333b6de587a634b62c578caffb
SHA1 8209c41555c27b93f473c6cec0d49fc0052ac347
SHA256 db6a07d969c13575f20e1b86b7d4830839933694dfe2061dee32ab55175ac82c
SHA512 7000829f6caa887078543bd65c4b7ab7e01c5b054abee09efb75e58fff9db878d6b7a142aa23e482475f18b20e3d59238c54111078fbdef704af9798a9be03aa

memory/2044-24-0x0000000074B30000-0x00000000750DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 02:18

Reported

2024-11-05 02:22

Platform

win10v2004-20241007-en

Max time kernel

151s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4820 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4820 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4820 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3296 wrote to memory of 208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3296 wrote to memory of 208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3296 wrote to memory of 208 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4820 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmp.exe
PID 4820 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmp.exe
PID 4820 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe

"C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3xk0agj7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC63E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D985503EEB466EBF5D6C6AC9CB9FD.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a86310cc5fa3eabb4347511ed37abddb2028ecad774fea2ec88938bc2f323717.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/4820-0-0x00000000747D2000-0x00000000747D3000-memory.dmp

memory/4820-1-0x00000000747D0000-0x0000000074D81000-memory.dmp

memory/4820-2-0x00000000747D0000-0x0000000074D81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3xk0agj7.cmdline

MD5 fb2d06b3aa014faa6b54b75aff6ec788
SHA1 c3a554cdbbc44d33b8f7eb49eefb85cbd92c5a7b
SHA256 5587ddb6b2c2fd1e48250d4bcdf3751bcaee74819f613e742a62bc0346a53042
SHA512 63c56be3808424c0710bcb2f49fd138045c8c67c79827e50940640ca8a2d86b3fd4d1e489228441daee12027321a751d12592fb6a54b7e1dd4ef1d4c39af7ad6

memory/3296-8-0x00000000747D0000-0x0000000074D81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3xk0agj7.0.vb

MD5 b348347b96c52ff2f3290e2ef72fbcfd
SHA1 594315cce2c0f62c75e78eac335cf3b354f45e1b
SHA256 4121c5bae48a46b3831b61afc0101c8c7208c4f0e5f7c4760f92c1b9ad87da80
SHA512 c54b6c38a06e35e1f06e1ab1972734eccea1e1e477225fc4592b2ef53aa69a9c5c7c837f9cc2910a9e23e6a5742a6d0e764d61029fdc207dd919219bce09e205

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

C:\Users\Admin\AppData\Local\Temp\vbc9D985503EEB466EBF5D6C6AC9CB9FD.TMP

MD5 2e3d2a2fe7044fc4ce0dd0191be1e344
SHA1 3939e1b5723e10acb6b3b9a404c66ae4941ed733
SHA256 91b3108461e8862a43601a2f7c82f7c9126422cca9de35ea659f1b0d1e001a1d
SHA512 b3a8ebbb8b7886cb1efbb27a9a3afbf80259e1fd75a4c5b8ebef3fbdf0da89e8e2f01b00911e452c3a6078982986e12647f854048ab2c02cac23831f2976677b

C:\Users\Admin\AppData\Local\Temp\RESC63E.tmp

MD5 82746393d8eee26e54f05b1512971330
SHA1 a34dc817d6650786a369bd1084b9a0923a29284b
SHA256 d1a5397567f882bc498a33f17f093a49f9888f0f1638751f0d47cd63baa01d24
SHA512 8e6302f8da036c8c1ac14eae0a5496f2c8b3d8b33611c99348f52864ced9c0898b9b8c6a81c823c2d76df3015f8b467471fe450139129e449c0299e049d8ae76

memory/3296-18-0x00000000747D0000-0x0000000074D81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBF1A.tmp.exe

MD5 54375c1902b874cd1b7b6071a7b35571
SHA1 cfae6795dff6cfdb2d06ccdf800e30f41839433b
SHA256 34cd9d96c7f58ce651bbeaa0050c2a01e433d2f445455ec7f732cd4b1d21d90d
SHA512 aa36465ee2b5ccf0d3b4e42c6cd0f81662301ac038ef834b13970fa2e2d1aeff0ac5393f90f63c13ecd8c4201e5a149116a517c9d025890356d02fb86336aaee

memory/4820-22-0x00000000747D0000-0x0000000074D81000-memory.dmp

memory/2800-23-0x00000000747D0000-0x0000000074D81000-memory.dmp

memory/2800-24-0x00000000747D0000-0x0000000074D81000-memory.dmp

memory/2800-25-0x00000000747D0000-0x0000000074D81000-memory.dmp

memory/2800-26-0x00000000747D0000-0x0000000074D81000-memory.dmp

memory/2800-27-0x00000000747D0000-0x0000000074D81000-memory.dmp

memory/2800-28-0x00000000747D0000-0x0000000074D81000-memory.dmp