Malware Analysis Report

2024-11-16 13:11

Sample ID 241112-wbx9ds1kfm
Target 9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe
SHA256 9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e
Tags
metamorpherrat discovery rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e

Threat Level: Known bad

The file 9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 17:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 17:45

Reported

2024-11-12 17:47

Platform

win7-20240729-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2252 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2252 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2252 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2532 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2532 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2252 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe
PID 2252 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe
PID 2252 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe
PID 2252 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe

"C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zx68fljv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF51.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF50.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2252-0-0x0000000074081000-0x0000000074082000-memory.dmp

memory/2252-1-0x0000000074080000-0x000000007462B000-memory.dmp

memory/2252-2-0x0000000074080000-0x000000007462B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zx68fljv.cmdline

MD5 08b88f83a52a5c3633cafaad582779be
SHA1 1a5a455e44dfd8871f5069dcbb4bdb3ade56d4e3
SHA256 981573e4c10b2f3d0edfe0d5120da2145e87659dbaaccb544b2c05b650807afd
SHA512 d034bb5a344a1ad8c56569952dfcf5ea1c7c38904b2dd9d5500fea073d7fd868aca5364e2ab06ab00120272313767cfbfdd68ac46d2e4532289c4b58bf2b917a

memory/2532-8-0x0000000074080000-0x000000007462B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zx68fljv.0.vb

MD5 9cb585132d764c6e7685c96d70c49000
SHA1 370a8bf7949da8226e214f718dfaf2ac7823bf61
SHA256 4e181b2de6f3b7a8022f41f1893c3f64dd92f38eba8bb473f59cd5459d3b57e1
SHA512 765f0883c4ddc234e2551fbd9fe3ac9ff1278a11f6b2cd6736dec5a029687e40747eaa44209a0ac0809fc5b05d42b7d6bfa55e5c0e5249adbf4d0483c61df644

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

C:\Users\Admin\AppData\Local\Temp\vbcCF50.tmp

MD5 ef24f9c9823a8fb5fde78d33ca96ce4b
SHA1 9e152e866de05635db9dfd076eeb3f8995abdbcd
SHA256 9e65371f6e5b90933406a43c06eec68d800784e4185ccb74bbc67b70adc8f933
SHA512 e296749ebe7d94d4c4ca0a16e4d4567009906c4524ab15b756fdc47c4f74d7973b7e0ad3bd590e80390ac665871426dd7e6631f47d05dabf90b966e07e620835

C:\Users\Admin\AppData\Local\Temp\RESCF51.tmp

MD5 fd01e5a9fd9b76b3055c9c6f693cd050
SHA1 7f0ec189162fd6f0d732a0c8a24eac6d48f65307
SHA256 efc66a8460bccdad270955bbe310af389e4ed4880909754fe230f958beb0fa63
SHA512 b6862b1ca1304d7a2bbe29e3208651d034e384be0206d576dd52cf29114075bfac7be15be7ba53c44f8fda513665b60cc2e3f4c14bff57104634e12681dcdffe

memory/2532-18-0x0000000074080000-0x000000007462B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp.exe

MD5 7e2be1392abf487db4c2cbf7332a645d
SHA1 3dbaeca7ae94ee4c89363ded82505ad4237fdd1b
SHA256 07f59f66f6b6ae8e2fea3061122a5fef6cc1fed925a27b4357b2babbd0a818ca
SHA512 0870a6d38c6a8f6fc17039c4264e224797636caff9779352dcdac32b39d6cbfa0e5dbeedf835dcba786aa2347b298163383f9fcd9b9ce5dee61be8960790bf5e

memory/2252-23-0x0000000074080000-0x000000007462B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 17:45

Reported

2024-11-12 17:47

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2732 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2732 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 424 wrote to memory of 4676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 424 wrote to memory of 4676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 424 wrote to memory of 4676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2732 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe
PID 2732 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe
PID 2732 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe

"C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7v9brzly.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB13F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB54CD2D6FC754543883E6CEAC16C36D4.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9de7b57c5057ac34ae7de3efb9d18f23f9444790bee6092c7ecc032b01c5042e.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2732-0-0x0000000074D22000-0x0000000074D23000-memory.dmp

memory/2732-1-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/2732-2-0x0000000074D20000-0x00000000752D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7v9brzly.cmdline

MD5 1856ad133ef75e98365027069052c4f7
SHA1 1ee2c0054f6321bb419319b03f673a58adaeaf5b
SHA256 c88e1129f0c9b0b15f1eb8944115dcf8e65e763d3a012b76c23fb8e4ad955abf
SHA512 7e312a7eb5936cc9ae365bac29160ceca1d76b925d9f34887867cbbdfc93610199513396064b2ea063f033191d895c3b461cc96471f3dc15ad783f5cd761cba6

C:\Users\Admin\AppData\Local\Temp\7v9brzly.0.vb

MD5 bc0b6d21604a9f9154451acaa84da6db
SHA1 ddbb3a3b0cb485270c148db0ac5c149b5002b5dd
SHA256 5d21d2a034f25bcdb21bccbcbb14fe4179e0a356d53f4da88c00c0f5d14139a1
SHA512 2246f79b2aa350d8e51a941998774e5dd35218d059a56cfa5b9c1efad4063cdc3928eec6e7723e00a427a806f8a60c0e2872ada4828bef81a27bfa030d00399f

memory/424-8-0x0000000074D20000-0x00000000752D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

C:\Users\Admin\AppData\Local\Temp\vbcB54CD2D6FC754543883E6CEAC16C36D4.TMP

MD5 5790b4ff0d14ddd16bb5adbae9af599f
SHA1 69e749aecddcb55f6a45913f59614f973b83db13
SHA256 bc86d661283a7d461276035a636f51297cdacb9f6e301a94f90e5187818c4789
SHA512 f8d5cc53bed31dc495f5df46be8d82064e4835e408809cfa8f58b07db7a1dde7b9d0723b40cbcff36f0e19dfe609218f140e892933e89577a10291aefc6b1fc8

C:\Users\Admin\AppData\Local\Temp\RESB13F.tmp

MD5 83350de4f6e6164b1bd80f72f9979c63
SHA1 7c5fc6724ded101d8d46dc9e245d6f2b981f2baa
SHA256 976e51a668a962cef77e68adef3a7600220e84a72e7251ba4f3f02cbd1085c19
SHA512 0eb4caa95b57bd86f62cad20bb2fe10722c1d5497605c28e7d77886e6f1b83886b36957e1150937c5f475eff15cce0b633969d4eb587996235d84958e8dfda30

memory/424-18-0x0000000074D20000-0x00000000752D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAF3B.tmp.exe

MD5 4e96e4a9bd0f042f0fe76462666a19de
SHA1 069112f0f37fec4230ec59223403e86699c95064
SHA256 1ad0593d956c45532dc8f720931706268aea52d775e80332971f5db95718bf2a
SHA512 a0050b5e3b54ba6a85f6cce4e34be8586c3ac394ffe0bbad7aa000edee62abfe5dd6b93073d3a5707dac05278b0e7582284c4fde6c9f1bc38447794e19838d81

memory/2732-22-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/4192-23-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/4192-24-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/4192-25-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/4192-26-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/4192-27-0x0000000074D20000-0x00000000752D1000-memory.dmp