Malware Analysis Report

2024-09-11 10:22

Sample ID 240722-zyzbrayemj
Target 4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1
SHA256 4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1

Threat Level: Known bad

The file 4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-22 21:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 21:08

Reported

2024-07-22 21:10

Platform

win7-20240708-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1996 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1996 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1996 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 296 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 296 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 296 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 296 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1996 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe
PID 1996 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe
PID 1996 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe
PID 1996 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe

"C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tvew9qz0.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8316.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8315.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1996-0-0x0000000074CC1000-0x0000000074CC2000-memory.dmp

memory/1996-1-0x0000000074CC0000-0x000000007526B000-memory.dmp

memory/1996-2-0x0000000074CC0000-0x000000007526B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tvew9qz0.cmdline

MD5 3008ade2c507d96e0f932de1f1d9005b
SHA1 849e2e802ef591cdfb3ce6a1d71c8c1b3718a4f4
SHA256 7487e7a0a4f4746f5a42d4758b4a7e372c5b68164fc0e14672b3aa4a07ff129e
SHA512 b01eedda8be8e924e2cdf0c717bf95ea225a240eff347a3e77e97659909bd6766a16a81e3842c13c7cfd8828c4d9be1c4d513f3b0e47e9252331dc5d23d775cf

C:\Users\Admin\AppData\Local\Temp\tvew9qz0.0.vb

MD5 bd4baa0cf01968a5a683435afdbd3437
SHA1 f4d6f634eb1cf16e29367b4a5b737a26b3b8881d
SHA256 eaaa0a1ae25c74e75e213bb92a53006cc8f1c06e661ae6fc6f4ae01dc3c135dc
SHA512 130ecb60f52748ece567f5fca2c6d36b61daee4fe605655a0c63df773e520f9d2428e32e59aa9e08c663369ad696208b4a40867f52bd9ef2166814da0ad4684e

memory/296-9-0x0000000074CC0000-0x000000007526B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc8315.tmp

MD5 4acd53d758caeea419f738580f1da282
SHA1 c43a92458fb4ac5b21d63501a1ec446d8c3c9cd3
SHA256 56f5539e79bb17a57765c6d056cf481474ea722fcec63537cf14fc33ab4fb7f5
SHA512 b17532a1dd47bc3ed3ecb5ea2dff5392e7ea2fe4624ce4fc808bd3fddcf33d4cfce66fa9e69d72fdf66d1a97f922f5a565f673e73f808e4c298109d58cb8b653

C:\Users\Admin\AppData\Local\Temp\RES8316.tmp

MD5 dff2a427e68befd5e67e08963e01c174
SHA1 0ae064de33eb41c04bac9854d528c7d42183ba9b
SHA256 9654bfce0fae4c05f3784f290bc99626cafa5b8c0484034a2e6d4fcef19fd62b
SHA512 8ee28984c9b7bcb007516fc0c5a410491b07d9a46a1dce0702ebb803accfbd4f3eafff36d7ce6a4f44336c3ad605c0620e089cfb573c0133f9b6a8a30878c232

memory/296-18-0x0000000074CC0000-0x000000007526B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe

MD5 d175c93e4173485cbcab1ccc4466fcbc
SHA1 ff1d5c17794a02c3c84cea8fbc076bd4bdc18ddd
SHA256 dd154f7224910317585e1cce428ab4af92da482fdfda8d61a9679fef4eb41248
SHA512 91e24e8ae9df9130f52bd452e04321b0a179e6b6abdc30d97751b26a061e1d811e072435d94c44404a52d714f1f50c71141a680fb377457ba7a7a0cbba39608f

memory/1996-24-0x0000000074CC0000-0x000000007526B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 21:08

Reported

2024-07-22 21:11

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp97DB.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp97DB.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp97DB.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1640 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1640 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 2000 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3840 wrote to memory of 2000 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3840 wrote to memory of 2000 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1640 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe C:\Users\Admin\AppData\Local\Temp\tmp97DB.tmp.exe
PID 1640 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe C:\Users\Admin\AppData\Local\Temp\tmp97DB.tmp.exe
PID 1640 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe C:\Users\Admin\AppData\Local\Temp\tmp97DB.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe

"C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\np9vwtjb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9981.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E4C5A13574542BA91EDCD7F4B85963.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp97DB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp97DB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4ac25c1efb074629d731f575821cbd0faf67ca97bf61453e21e7841d5c4e19f1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1640-0-0x0000000075132000-0x0000000075133000-memory.dmp

memory/1640-1-0x0000000075130000-0x00000000756E1000-memory.dmp

memory/1640-2-0x0000000075130000-0x00000000756E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\np9vwtjb.cmdline

MD5 79f7541caed09367d0f17ab6a8c70419
SHA1 ca721588acc7fbd31f80e109d8a08f891fcb9b5b
SHA256 9cd753e03c47884afb77d49714c7ac8c95c0736808ffbc73b23d98abb76670a3
SHA512 d36d6a448dbb6911d527fbf25b376fa3b30f1dcdf5f0355a7c8b6d02b2a12eff739f0d9147620497f0e0bc0aa8fa1b0acdce948aa15d20e0a448498f8546aa77

C:\Users\Admin\AppData\Local\Temp\np9vwtjb.0.vb

MD5 cf9301c67ebfca118aac1b4b86dd7fcc
SHA1 63bae5067590958f88b6250848b69884ede779da
SHA256 43e26cc3dc828af80c614becb83e518c48905bb35c4c9421c700080b09118c53
SHA512 0591668e7c3b2a8b7505d9d80a36e9cd81957f3caccf44dd2c7276f6ff32924f739b882e27bce01fb025c390c560b117d54e4a16530fb93cf785e4f8a3295d18

memory/3840-9-0x0000000075130000-0x00000000756E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc6E4C5A13574542BA91EDCD7F4B85963.TMP

MD5 2d08e69b9ab419035aae18f8af8df6df
SHA1 9c736f4e1aba3600324731cc04170260d7afff14
SHA256 95010b65f5e97358512788b928e6d59a4667cdfdabd39e5ed8703672bb5c83fe
SHA512 db1e38ae678773850569119c45aa3270c7b570c604fa7cca9fd0bd75b796808dad3f7fae64137c970dc77fbfd4c4f1d7658289545ae25757228c38f970a4adea

C:\Users\Admin\AppData\Local\Temp\RES9981.tmp

MD5 fdf01e2473e04869582e455e9c491e31
SHA1 515a405e55221ddbbacc9936061a018328069a2c
SHA256 ab8f6b1bc08b771b509723376f21de4eaa949c2d9323f1ae8f47c600039dfe75
SHA512 bce55495c41e9984d1b70923f56e7dd3b698f6f49289fcc1e0b60f405e47add916bad56e510913e402f5d69eca269cc2eb4e31dd8f3f89ea400bde24be77f942

memory/3840-18-0x0000000075130000-0x00000000756E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp97DB.tmp.exe

MD5 2d6181f5c43e36dd10402ae143fdf13b
SHA1 600332f7b0a7737dfd644cd89564524c2a96f324
SHA256 766b979b237e7e5000a0660cb26d4d688f8ddaf6a7100a0c5d5a8c74787c98e5
SHA512 68b65350d0eeb5ad3440cc95961e407110de779b8629ed8d218c7dbde7d2f54db2f6295c085962fae4589fb3c273e29b2f54598cdde21afaa8caefb4734224ea

memory/1640-22-0x0000000075130000-0x00000000756E1000-memory.dmp

memory/4856-23-0x0000000075130000-0x00000000756E1000-memory.dmp

memory/4856-24-0x0000000075130000-0x00000000756E1000-memory.dmp

memory/4856-25-0x0000000075130000-0x00000000756E1000-memory.dmp

memory/4856-27-0x0000000075130000-0x00000000756E1000-memory.dmp

memory/4856-28-0x0000000075130000-0x00000000756E1000-memory.dmp

memory/4856-29-0x0000000075130000-0x00000000756E1000-memory.dmp