Malware Analysis Report

2024-09-11 10:23

Sample ID 240718-e9h4pavgqq
Target 6742d12ccd2243002f975210f9e16f30N.exe
SHA256 6a1f0457ec907801ab79abcb70c7b1725afa9a000d7995b6d83d13154691a7dc
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a1f0457ec907801ab79abcb70c7b1725afa9a000d7995b6d83d13154691a7dc

Threat Level: Known bad

The file 6742d12ccd2243002f975210f9e16f30N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-18 04:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 04:38

Reported

2024-07-18 04:40

Platform

win7-20240704-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp15F1.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp15F1.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp15F1.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1948 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1948 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1948 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2260 wrote to memory of 1908 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2260 wrote to memory of 1908 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2260 wrote to memory of 1908 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2260 wrote to memory of 1908 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1948 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe C:\Users\Admin\AppData\Local\Temp\tmp15F1.tmp.exe
PID 1948 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe C:\Users\Admin\AppData\Local\Temp\tmp15F1.tmp.exe
PID 1948 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe C:\Users\Admin\AppData\Local\Temp\tmp15F1.tmp.exe
PID 1948 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe C:\Users\Admin\AppData\Local\Temp\tmp15F1.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe

"C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yrcqamvj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A07.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc19F6.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp15F1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp15F1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1948-0-0x0000000074BF1000-0x0000000074BF2000-memory.dmp

memory/1948-1-0x0000000074BF0000-0x000000007519B000-memory.dmp

memory/1948-2-0x0000000074BF0000-0x000000007519B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yrcqamvj.cmdline

MD5 7f86c6c53aecb07a54126369bf7f480b
SHA1 2a85255faf46f2ea57bf7bd6417291b85594d696
SHA256 59e963a4376d6a5ed4162c7d04149af591990b28362d418fc8df01faed81f7bd
SHA512 f3c76bee86f5158b72cfda7d759a98ddbb64425c1f27036854f7c40dce610a39b4020f5759ee5190cc950a3ad88046cd76e981245b8d3fe30a7be2d5016dc944

memory/2260-8-0x0000000074BF0000-0x000000007519B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yrcqamvj.0.vb

MD5 acecc6acc5abc68499bf7871b1d706d8
SHA1 10e56e95f17c968ad3ab8de2c37c339d4065854b
SHA256 5e25aa622fb2adfa3cb1c855af9620ba7852774dac24163f648b43c37091e97f
SHA512 7454241e3e02b70df7eae9a279e568619d4af37a7524cb27e42f15869a95af443c7bc87b20a1b4d9378afcf6228db239d65bc2725a55d168047fe6a79c86d2c4

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc19F6.tmp

MD5 66c92720beee6c9a918e1be9786b50c9
SHA1 51b280b92d4139a49ef74744f39578cb749f2e7f
SHA256 51ef340657f0e9e6d8769a729bf40391d8b3cb3ce3a71fd4252ee55cee2af7b8
SHA512 2376b0a19c6879d18959b37e127b07627f387a9455f06a78598bf7a3fa24f11d0876a497b267a6ce178483e5166d6c46a8d1003caf6d62ba3d192d5a0807c76b

C:\Users\Admin\AppData\Local\Temp\RES1A07.tmp

MD5 cc0374be6624d2a6c85e9701c2b2ccd2
SHA1 91b04d5918c647e32091626340db08ecbdcbd705
SHA256 33cd3cf68415accb49139d4ec732d7694ff488e139731cea011b224ffff04222
SHA512 a7351af7256bf4d2c26edddc6c5342c38e75f52862ff4377eef016b8e238a580ce3ce15bf001ad3c76d52e3d147959fcdc363cde4f27fa7e712279c4f0df4006

memory/2260-18-0x0000000074BF0000-0x000000007519B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp15F1.tmp.exe

MD5 26b568e33f9c35acc0a34166c023a184
SHA1 1397f59269febdd6fa02582a5764d3a95cb80a59
SHA256 e6b8c30759f7ede87b4c7f747b78a8e2680bdbe67440ecf77d60edd295a3ee0b
SHA512 08ae405a580bf9219802bae97e7706c3b9d6741a44f5d33ede74c3a96249ee17500b4c3152e8253feb164dc35e1321b513c57c1668080d4acec71600075dd34f

memory/1948-24-0x0000000074BF0000-0x000000007519B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-18 04:38

Reported

2024-07-18 04:40

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2948 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2948 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4936 wrote to memory of 3020 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4936 wrote to memory of 3020 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4936 wrote to memory of 3020 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2948 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe
PID 2948 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe
PID 2948 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe

"C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jud3oby3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC709.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3637A7BCA1C429AB1696AF5C1B5867D.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6742d12ccd2243002f975210f9e16f30N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2948-0-0x0000000074752000-0x0000000074753000-memory.dmp

memory/2948-1-0x0000000074750000-0x0000000074D01000-memory.dmp

memory/2948-2-0x0000000074750000-0x0000000074D01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jud3oby3.cmdline

MD5 18384a764e8950e80ac5ef4fea9bdbed
SHA1 97ac73ad4ca6ce85531a195a7c9b8cf31f0912f2
SHA256 b9cd4d2ca34d60c171bacef359d8f094b5babade27527f88e8d0c67385786b06
SHA512 5a4eab3d89531cbc999101897e2962d56bee505b661abc4dc2e121e76215333182cfb1c6ae86508c2d88bc7833f6f4436e9899deb16bd2334376b72f09170a71

C:\Users\Admin\AppData\Local\Temp\jud3oby3.0.vb

MD5 717bb9976ca5d957d7c13cd566ea0fe3
SHA1 607c1032cd199830c735ccca13fecf205ef95452
SHA256 3c2aa9e560ae662724aa2ac0ea761e11166f56ca1861cd3f78a3890554bca162
SHA512 346dffd45175389cfc8d4fb0a30939fca25e155ba6a3dadedb71a932829d9a40ba44e3a21d1f93e873d6256d292737274836051b9fe785bd7be36d5dd687def2

memory/4936-8-0x0000000074750000-0x0000000074D01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcD3637A7BCA1C429AB1696AF5C1B5867D.TMP

MD5 927098e5a01f72a952fdf8aa1719fdfc
SHA1 48bedbd5ce8de0089849789beea45a10429d4218
SHA256 6d7db10048d4de17cae129bee35aad53f2ce860e3793574e4af318d44b3ec2db
SHA512 b2e304d01493811ad53ea9cd1c30fdd5f3f760a4cbc30da1153dac911e0e5d8c0111bd7e0f29b8309cdea999ea672392ff28ca04009f0c88351659778c5632ce

C:\Users\Admin\AppData\Local\Temp\RESC709.tmp

MD5 cffd08d5e8bdcc5356f1259edd1568b0
SHA1 3676ccb83ac3cb7fe04f5b2224ada69687514fed
SHA256 0dd52885d61515cc8352e300de815adf07ea8ab62c78ee98cdfbc8042050965f
SHA512 d234dbc7b68cbc37af41739778d0590006dd1b0eecfa2f6bac8ea1797153ced83cc719c499d45c71e3312160fb7dd445cad3574c1e75bbd126bf73fa0c944dc0

memory/4936-18-0x0000000074750000-0x0000000074D01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe

MD5 a3f5a3aa7e613139e90fb4f637bdce4f
SHA1 f4b96ea88ea21f1bda7b64aef674aec4701cb0f5
SHA256 354df2e7626a8dd8fa66a3dd62f75fd5488af8ebb7657efa04bd092290af3713
SHA512 cfcc644678ba246462d79be21b6fdc63c9c3a58835bcbdbb9d0bda095c398c632bd3f1f3960ff7d5fdecffee79ad590e70ec25a55e2a6fa5586a6b1dc0c35075

memory/2948-22-0x0000000074750000-0x0000000074D01000-memory.dmp

memory/60-24-0x0000000074750000-0x0000000074D01000-memory.dmp

memory/60-23-0x0000000074750000-0x0000000074D01000-memory.dmp

memory/60-26-0x0000000074750000-0x0000000074D01000-memory.dmp

memory/60-27-0x0000000074750000-0x0000000074D01000-memory.dmp

memory/60-28-0x0000000074750000-0x0000000074D01000-memory.dmp