Malware Analysis Report

2024-09-11 10:22

Sample ID 240725-sywsasxeqq
Target dd868c65b9cb2b674e275d9cdbaf0e10N.exe
SHA256 ff52de1ef16a9c1f4fcbc1747b2991f4c4ced1917719ec16404e393bd792e0aa
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff52de1ef16a9c1f4fcbc1747b2991f4c4ced1917719ec16404e393bd792e0aa

Threat Level: Known bad

The file dd868c65b9cb2b674e275d9cdbaf0e10N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Uses the VBS compiler for execution

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-25 15:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 15:32

Reported

2024-07-25 15:34

Platform

win7-20240705-en

Max time kernel

119s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2696 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2696 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe
PID 2696 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe
PID 2696 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe
PID 2696 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe

"C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\flcob5yn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES362E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc362D.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2696-0-0x0000000074C21000-0x0000000074C22000-memory.dmp

memory/2696-1-0x0000000074C20000-0x00000000751CB000-memory.dmp

memory/2696-2-0x0000000074C20000-0x00000000751CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\flcob5yn.cmdline

MD5 2077292aef3edaf519a6cf1e22979834
SHA1 3142053e5c2d5915391a5fdd21a34d1bb12c47ee
SHA256 d17af23066befdb5c86308e5ea1ba675fcbca825d610ca19896269c19573b394
SHA512 6405d1dca3145176dbd340131ca5db0175924cf344654f0f675c59fb4a0ba6acfadd23da4775952ae7314cde1ae133b4a9f2f2f2daa6b5aedc1a4693049193b4

memory/2860-8-0x0000000074C20000-0x00000000751CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\flcob5yn.0.vb

MD5 080b97d3ce5c0e902a7f3aeb62bf3643
SHA1 a26aabc30a98c48e9f33f4be559911f2417047a7
SHA256 22b40f0da869b88bfdd0b4e764e9c3a43e17f4cd5bc55510d26865e89f3c5318
SHA512 8d3646b585d9bbb944d432ef58548ff83f19a80e88ed91460bf43f7f05335cd4ce242ce96f6ff912f8aa76d465ed3c19009e6c36fd5fe09d565df6174b8e05da

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc362D.tmp

MD5 383f4c3d6187bdd678db919ad4ea9c77
SHA1 c430380a1949a30ea02c98b095d7e4f4aa62610a
SHA256 d74c17f7e85920deb2c1feecaed3246799c17dd946fb6bbf82d147bd340bcc79
SHA512 a52775b719d31514e485d975e59e5ebb6bfe22001da69cd385683b668bb58e6cef4749503a3bf707b0970896b6063671cd90bc2b86e82eee00c9eb0090d32fae

C:\Users\Admin\AppData\Local\Temp\RES362E.tmp

MD5 2e6c36417e94cbe1ce9398190ab1350a
SHA1 0bd02843c99684512d19ac99a6f28909c090d02e
SHA256 f49ba702bae1bc954a77e31995cc55479b3fab437c79267f516c79009451c3d8
SHA512 65dea404f4891f6989441bbc1469fb0de26c296125adb0e4a18f03ade08504cf13bd7995232b761932ade193443f160059feaa55f5199b9189960fd5980955f0

memory/2860-18-0x0000000074C20000-0x00000000751CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp341B.tmp.exe

MD5 1203d0e46ca54cb9331625020f4e45d2
SHA1 f5fafc85df429e1a4f7764b9f2a03576080d8fc8
SHA256 b915e33ee049361f3ec8d2218810de841a026cd6d66cc28ecff256b7654f3e41
SHA512 d4f7594ef061889107282947c18472f4e9d425b07bb15c3e2904adcf23b9681f49414ecd4a0c41f3baa679a90a4439691031ea48e40da61473395ef4801a4cc0

memory/2696-24-0x0000000074C20000-0x00000000751CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 15:32

Reported

2024-07-25 15:34

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3704 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3704 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3704 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1708 wrote to memory of 816 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1708 wrote to memory of 816 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1708 wrote to memory of 816 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3704 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe
PID 3704 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe
PID 3704 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe

"C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wyaca2ro.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB82.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBBB92536155E457FA7A4E3C0E6C4E260.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dd868c65b9cb2b674e275d9cdbaf0e10N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/3704-0-0x00000000752C2000-0x00000000752C3000-memory.dmp

memory/3704-1-0x00000000752C0000-0x0000000075871000-memory.dmp

memory/3704-2-0x00000000752C0000-0x0000000075871000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wyaca2ro.cmdline

MD5 d97776278a99cc4f33747f48cfd5d710
SHA1 5ea33bf362faa561e696cf1bf396ed2adb659b34
SHA256 9cbfdc1dbb8ff5262c1a05ca8c6f3e47844643c829aa155cb9c644be67f6a93e
SHA512 d2628f3ed690c342a164b4c9e8dd8e9b4baec6b72d86e81aa4181c73c1e4204436cc5983c2b0b51e57d0d1c44f671e71c8e19b22910caabc99851a1232bc8d7d

C:\Users\Admin\AppData\Local\Temp\wyaca2ro.0.vb

MD5 b5fb5e555eebe39f22afe4fd00520573
SHA1 3a4c5a95e7ce63411214c7546b7018698a807c44
SHA256 c49d57ac5626206599aac3a0e7a10e1c00edcfb5221bcde729a919863fcf3a57
SHA512 dcfcec68b1c8da632d10a2d5adfe405316f30ed7b781822c4a0e6011ba7fec7658b50359dca443595ff8772a334e2e5afac9e530254c23622ad7279a261adb79

memory/1708-9-0x00000000752C0000-0x0000000075871000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcBBB92536155E457FA7A4E3C0E6C4E260.TMP

MD5 0d361ee7a5a6d722b546ce9ce3ea036f
SHA1 ed6afdd5ba1bb4859991caa69a058b16285660e2
SHA256 6c3efb0f0d058801ce1bfa76b71bbd4f15e964addf747a924da1c8792562b0fb
SHA512 db881c656840f9323f72f556c7589814f2fb3adcc4df43039feb3465a30a1a526ce12b68863c5883c04bcac3d5173849d3eef63068d36fb2b4d781948e7d26bc

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\RESAB82.tmp

MD5 67afe07813a6a7526d520611eb969322
SHA1 046b42b6b07b4ebf4e4169357c90a8b3ec8270e8
SHA256 aed063d5ec8b34044bd59482d85955ca79775db0520c72ba43c61f5dedb886bc
SHA512 cc1abddb74a0dc5daa69c8a06f649c2bb3e2de25de5578269f50166966b6bfda57c03b08c7a0425fd96b10d4c5b1af60deef96d4d0d252876457b9662522a704

memory/1708-18-0x00000000752C0000-0x0000000075871000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe

MD5 6f1d8ff7bfb63c256a06a448f11c1bdc
SHA1 b9dda00d618b2ecb470b3cdeae1c595f0177dee1
SHA256 f2f3b5f485796eb5ee6d7925fe91da5527a745ba72f4169c84888d0d191c9319
SHA512 928c26a03e8b2d8ff9010a0719fdcb3ab7d0c8cb16517a9280cde8ec608835d29e229f1c442b0f3844c5aa4e4909b6c42d76c61bd8f882205d4edd46b2ea9bb5

memory/2944-23-0x00000000752C0000-0x0000000075871000-memory.dmp

memory/3704-22-0x00000000752C0000-0x0000000075871000-memory.dmp

memory/2944-24-0x00000000752C0000-0x0000000075871000-memory.dmp

memory/2944-26-0x00000000752C0000-0x0000000075871000-memory.dmp

memory/2944-27-0x00000000752C0000-0x0000000075871000-memory.dmp

memory/2944-28-0x00000000752C0000-0x0000000075871000-memory.dmp