Malware Analysis Report

2024-11-16 13:11

Sample ID 241113-a5tbmstfkg
Target 9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe
SHA256 9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4
Tags
metamorpherrat discovery rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4

Threat Level: Known bad

The file 9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Executes dropped EXE

Checks computer location settings

Uses the VBS compiler for execution

Deletes itself

Loads dropped DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 00:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 00:48

Reported

2024-11-13 00:50

Platform

win7-20240729-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA998.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA998.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2112 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2112 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2112 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2372 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2372 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2372 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2372 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2112 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe C:\Users\Admin\AppData\Local\Temp\tmpA998.tmp.exe
PID 2112 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe C:\Users\Admin\AppData\Local\Temp\tmpA998.tmp.exe
PID 2112 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe C:\Users\Admin\AppData\Local\Temp\tmpA998.tmp.exe
PID 2112 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe C:\Users\Admin\AppData\Local\Temp\tmpA998.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe

"C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sf8q7flo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB7C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB7B.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpA998.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA998.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2112-0-0x0000000074991000-0x0000000074992000-memory.dmp

memory/2112-1-0x0000000074990000-0x0000000074F3B000-memory.dmp

memory/2112-6-0x0000000074990000-0x0000000074F3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sf8q7flo.cmdline

MD5 a4e8f2c972a54421b92fe4d7b3f119a8
SHA1 eec57e4d6df8a0b484a0686b4993553eded981cc
SHA256 8aa2d2a0e1f4e17c7af77e31fbefe1cf69abf90d450bd440214e13d03c85e6cd
SHA512 21a4b3d9ab45ea0cb918d794562ce02270884a761f7f2301b57e583a9cc111d496a547c7c39b10c5a4f1a605634bb761e82572a43158916f6827ac3bdcd507c6

memory/2372-8-0x0000000074990000-0x0000000074F3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sf8q7flo.0.vb

MD5 2ef42e7ed31e86e084582c65628d1f6d
SHA1 b241fde9c6d8a4f371704471d71fd385a640de66
SHA256 698b5a2c3fcd2c9074e4e97219e3171e28b13b26f9c892ed8b5b99c775487efb
SHA512 e1194700d70bd92ec0051cf40dbca84e3dc7624c492f65a2a3eb8ecb3ff499e243ce3644b7ebad2d467bb4b16933a68440daa9bd3f7af79f581b380672f087c3

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

C:\Users\Admin\AppData\Local\Temp\vbcAB7B.tmp

MD5 adfb1e6e557f4791aa337af4b28e968b
SHA1 b126dae26bf0356764c97f829853b282a516dfaa
SHA256 5fae63531966b54dda3c88ca19e9699ff342a336d4016b16002a1b823cfca8a1
SHA512 ba3c4cd477700f4f3d022e3cd97f916a8f47d1ee5fc7553c79b9a287642f1dc98539d10f4b799376b78ac22abf1b4a1094e11c5c8ad59c1f262622827b20581c

C:\Users\Admin\AppData\Local\Temp\RESAB7C.tmp

MD5 9e8620b8aa20609dff3ce3167f867e80
SHA1 a22e7704b410b33475c5b78a2f4121f01ebf91cc
SHA256 aea82feefc67e330a97c25804f3a2af601140d5d65ba00a2f0f0e9d22f77082e
SHA512 8fc167fcc4792f6deaea79102f56338d85259f94a86d356c2c94eafe96dcd3bf51f8be74f3212981ba2755595a1eef2e87aa5c8ca5d005992490289f3935f787

memory/2372-18-0x0000000074990000-0x0000000074F3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA998.tmp.exe

MD5 09f71015931679a3129749124479b8ee
SHA1 6631d3ee356dbd4238bbe9d216246a71ae487303
SHA256 b1671bc0f32b157dd5e669858d558f46a7eda320aeaedc50c3432bf22053ccc0
SHA512 7637c6a9ea8f249aac997447f26ce5cb26e14f8390b4fff9db2142007cb5e942440ffa6afaacee43fa420036afdc6a71c8957196316ef0e606eaeb811851d3ca

memory/2112-24-0x0000000074990000-0x0000000074F3B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 00:48

Reported

2024-11-13 00:50

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAC5D.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAC5D.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpAC5D.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpAC5D.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1312 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1312 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1312 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4056 wrote to memory of 5048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4056 wrote to memory of 5048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4056 wrote to memory of 5048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1312 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe C:\Users\Admin\AppData\Local\Temp\tmpAC5D.tmp.exe
PID 1312 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe C:\Users\Admin\AppData\Local\Temp\tmpAC5D.tmp.exe
PID 1312 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe C:\Users\Admin\AppData\Local\Temp\tmpAC5D.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe

"C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2lphoypp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D6A3319E1D441D8AE4B758D1E489A8B.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpAC5D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAC5D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/1312-0-0x0000000075382000-0x0000000075383000-memory.dmp

memory/1312-1-0x0000000075380000-0x0000000075931000-memory.dmp

memory/1312-2-0x0000000075380000-0x0000000075931000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2lphoypp.cmdline

MD5 c7d07dc3a440051c773d056ccd0c01ce
SHA1 c43103053cf051bd4979372f7238487e8c42e685
SHA256 a07dbfaaa8f2385d7f5622968f70e2c0cecd83fd3e0f2e11c032f9ada66ec7dc
SHA512 0b3428b26d27a9a5e462292167cb81ec69a24619578ff1cd29b371bc720b3598ceaacd8895e033efafa0984e9f5ec29d6ce5f834d475a58095130ecde05aa0c1

C:\Users\Admin\AppData\Local\Temp\2lphoypp.0.vb

MD5 7e5668376dc25f3b9ac8dc344923669c
SHA1 dbd6a7c6d0273b67be612662e291631b43d993ec
SHA256 3c1235f5c9180146e97c2f260b11885531ff6c98b5373cf874f94ef3121b18eb
SHA512 0d0c6c55de812c3d2f76ba5fbdef4a448a079a3fa190d3a25aecd7e6744c59448a4292eb7141fde42ce0c09ea70cb7f6b70fcbe706cecd84250fad51c6fdafdd

memory/4056-9-0x0000000075380000-0x0000000075931000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

C:\Users\Admin\AppData\Local\Temp\vbc9D6A3319E1D441D8AE4B758D1E489A8B.TMP

MD5 4b67a3333a4fcf1a4f823bcbc03863c3
SHA1 16188eff22600abbf24ae12f94d65f28bf92332f
SHA256 91015d725bd83efef544502839143d83aea56ff9506be8aeb3bd0b6f3d9498d4
SHA512 9a0c5e5822ee16354fdff31eb219bcd0ad19417fed9efc6b0a59407375075090a37104909200921b7ea9776cfa82e1547e08852f8d0636b6d7bac058a7f1c6d3

C:\Users\Admin\AppData\Local\Temp\RESAD86.tmp

MD5 93422921d334dea8fae972655cf1835a
SHA1 f9f815a29f408a3ef08497f6fcae1b56cca355da
SHA256 9447f5153b32d2567f6ae4fcf32b4e23db606701a23a3745be856a81d1b113d3
SHA512 3e7ed6ce0ed99f2826fc90b9f39128e0c1b4cd9ff7b95433b78cd92e957f16ff1897691db27f39d29ae85fa31cf476d0c86c8110b8c09e714dec8fa43299a221

memory/4056-18-0x0000000075380000-0x0000000075931000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAC5D.tmp.exe

MD5 71c887703269b779abfeaefd4c8ab73a
SHA1 569705855c664347be60a37f4a46b721c92a23da
SHA256 a374bcefb40e59be634535e904ed306dabc6c1a06954db01e8976b00be382258
SHA512 984d3bcbf34a9ec82363dc483b14deb895eae4dd55ec27dc37680adc1a74adc19345090fa83d98275feabcb4b2ced7061fd9447a8939e985139026b56e3e6da5

memory/1312-22-0x0000000075380000-0x0000000075931000-memory.dmp

memory/2524-23-0x0000000075380000-0x0000000075931000-memory.dmp

memory/2524-24-0x0000000075380000-0x0000000075931000-memory.dmp

memory/2524-25-0x0000000075380000-0x0000000075931000-memory.dmp

memory/2524-26-0x0000000075380000-0x0000000075931000-memory.dmp

memory/2524-27-0x0000000075380000-0x0000000075931000-memory.dmp