Malware Analysis Report

2024-11-16 13:12

Sample ID 241108-vhr6aaykbl
Target 563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN
SHA256 563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9d
Tags
metamorpherrat discovery rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9d

Threat Level: Known bad

The file 563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Executes dropped EXE

Loads dropped DLL

Deletes itself

Uses the VBS compiler for execution

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 16:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 16:59

Reported

2024-11-08 17:01

Platform

win7-20241023-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 108 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 108 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 108 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 108 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2040 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2040 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2040 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2040 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 108 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe
PID 108 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe
PID 108 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe
PID 108 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe

"C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l7l9uy9q.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0DF.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/108-0-0x0000000074481000-0x0000000074482000-memory.dmp

memory/108-1-0x0000000074480000-0x0000000074A2B000-memory.dmp

memory/108-2-0x0000000074480000-0x0000000074A2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\l7l9uy9q.cmdline

MD5 f82519429c0ed4d753d23edef15c2240
SHA1 8d9f643e473a397e02833d08b0f0c66b70c1f9d6
SHA256 5695ae073e73ca8d35a235aca7764d6f48e8375acb6ae9ae2301a1d158c41074
SHA512 b2f1f8db58b7d39f4ec0558c76eb340a82afb83838ed971b75b9d67e2fbde2ee769785b5a1447ae9eb6b0ae4b14b94e8bca7a63f89ea80c09b5f816cb7a84fbc

memory/2040-8-0x0000000074480000-0x0000000074A2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\l7l9uy9q.0.vb

MD5 8ea001ea1659e696ee3f13752f5cb686
SHA1 0c66ce3dc74df2da198e5bc8ee692e0f529384d6
SHA256 5248d8a01ed16fd51b9fb0d2d2a9126a3d25a72348a3ea19e80d53f746267019
SHA512 3c0938143a61fb24a3cf487bf3f1b95cbdee2fce8f903f93d10399f749ec4b92b3823fdb0886de8f16b109809fc02dd85ff4971d04fc0de31c620211d42fbd93

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

C:\Users\Admin\AppData\Local\Temp\vbcC0DF.tmp

MD5 46d5ca83a340da88a113d34f8b43dbd1
SHA1 e72534bf2599de6aed63f8484a4fd47f930131ff
SHA256 18af735c03fde70ec7bd241a7e60bb70de3a5832e530d252f460f7b21c79f16e
SHA512 ba527dbc1b57b3e9f33a17d52ee14f1537e7b2c13bcd8169d993c043db4393e48f727505fd283042118080fdf75f1190c556c872041e3ec01266932fdf658bec

C:\Users\Admin\AppData\Local\Temp\RESC0E0.tmp

MD5 b9150ef5933a109ef9fa4028e5b70db4
SHA1 afe5904aaf2bf5b96dff8e5b963dab0835981a43
SHA256 9c84fa872f19a78afc926d9bda2cbb6136cca7d8e7bd90f9fdd0d1f99eff377f
SHA512 9cf315046302dbc4035677d244216da44984fe43be5273bb70605c9839add8050002c2303055d9d58b4f4db833a65f38d1f1cb5509098f0bed9b7f42a1ae6023

C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.exe

MD5 fe424c40a4f2a319011de41ba94851df
SHA1 be507ba33377fbfb0d1c4ab600f2125cb542058c
SHA256 e50bf4ab8abcf550140003dfd0864a6f99580e280790ea550cb1253575bc06a2
SHA512 91ab9209809fa3d44e0f09de00a143ad71a1adafa7e56a203c0b5fd90e300e7cb0b4ad1b006c13389070561a089853301f1886eb086f3cf528094de2bc76c380

memory/2040-18-0x0000000074480000-0x0000000074A2B000-memory.dmp

memory/108-24-0x0000000074480000-0x0000000074A2B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 16:59

Reported

2024-11-08 17:01

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 468 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 468 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 468 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 384 wrote to memory of 3764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 384 wrote to memory of 3764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 384 wrote to memory of 3764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 468 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe
PID 468 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe
PID 468 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe

"C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vg4timyl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1414D88568A4108BA8E5A912675D22.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\563d2dbcd5829f81d7797dce7b658afe7bce2045149bde1bc47f320a068a9a9dN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp

Files

memory/468-0-0x0000000074A32000-0x0000000074A33000-memory.dmp

memory/468-1-0x0000000074A30000-0x0000000074FE1000-memory.dmp

memory/468-2-0x0000000074A30000-0x0000000074FE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vg4timyl.cmdline

MD5 cc9f0385a85cd56fec0a96414db80921
SHA1 edcf690d27433270aaa568899aa49346b79849fe
SHA256 3e3d3a71e44176201552ed32d7ca5b1455ac487543ed16bc259449dd06053023
SHA512 48dd6aea34097c498d1dca3e24293209deec06704deb52f12936975afbf48dcd6f52dd56e5eb8e04a5373987305942b841573abddfe8c66fa973a826e024ca61

memory/384-8-0x0000000074A30000-0x0000000074FE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vg4timyl.0.vb

MD5 60b2b03bb9bc80a9e16016d8d52c1fd2
SHA1 3f454e70b0171e156ef5c2ef032f78487a723c0c
SHA256 1dca1ca32dab8228a062f1f7c57938fe9877dbe8a7ccef836f271ea7635e4242
SHA512 e497bb66567e9aebcacd1fc28dc61a54d9c1ac8e7695725fda00b954d55abd0bee20634f40de8a37eecc59f422fa3759d4c5f6ce03faa9d3b7f4ac5f5aabf459

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

C:\Users\Admin\AppData\Local\Temp\vbcB1414D88568A4108BA8E5A912675D22.TMP

MD5 7e582bb4b7da5f99717544f480e3b749
SHA1 40596e8fc3c8d3977e52c5d7456df1393885dd82
SHA256 23e7c1c68cb86ea6d4b28ead076c71bc6fd0ac5661feedca6f53c5df99fd06d1
SHA512 4d67874fc4d0df31f9b8293d62b69b491eb6a44cf129ba43e542d53794327cdb7eb1f602a0e1af0f6e706d94e9dba7c6d6a118ba1dba88eaf1559e009fc0a704

C:\Users\Admin\AppData\Local\Temp\RESA9CD.tmp

MD5 b4f199c8e0b24ad9275a0314caab9c0f
SHA1 476d9634c77f3e298bb3b3aacdf6601b106dd30d
SHA256 90f6109d4894e4af36253959862a4266cf6b52971ff25e81ba3147fceb179563
SHA512 df31d501528ed5e64d86e830e7d05ebceee009ecc1829701fa41960ca907f31812e4ee888198c9357b0b88680653243c3f64713f98f18b99e28fdc4f3013182b

memory/384-18-0x0000000074A30000-0x0000000074FE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.exe

MD5 f6f3cfc918ecd30f912d6d265fc530a7
SHA1 629e842e65c879fe4e1b1cbe4751ece658a2f1d1
SHA256 7f9ba20e35a42b8bab954c1dbe72e608becb8dab7319fca20b7cbf23d5f2a143
SHA512 c3e12b753876d2005aa314605c73543e2d42f4cf5294659cec2dc6a38c9655357cbcc869aa861d01dbd1fbdcaba5beea4408a6df83d3b539203a27cf28eb331e

memory/468-22-0x0000000074A30000-0x0000000074FE1000-memory.dmp

memory/2288-23-0x0000000074A30000-0x0000000074FE1000-memory.dmp

memory/2288-24-0x0000000074A30000-0x0000000074FE1000-memory.dmp

memory/2288-25-0x0000000074A30000-0x0000000074FE1000-memory.dmp

memory/2288-26-0x0000000074A30000-0x0000000074FE1000-memory.dmp

memory/2288-27-0x0000000074A30000-0x0000000074FE1000-memory.dmp