Malware Analysis Report

2024-09-11 10:23

Sample ID 240718-ysv7gaxckb
Target 004b1bf039d5156a874ba3d8cfeef360N.exe
SHA256 004842faaa5d44c233f6b8b9b873cb8ece34f82c3e560a47ddedb3cf7eaea685
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

004842faaa5d44c233f6b8b9b873cb8ece34f82c3e560a47ddedb3cf7eaea685

Threat Level: Known bad

The file 004b1bf039d5156a874ba3d8cfeef360N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Uses the VBS compiler for execution

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-18 20:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 20:03

Reported

2024-07-18 20:06

Platform

win7-20240704-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2710.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp2710.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp2710.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2256 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2256 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2256 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3024 wrote to memory of 2172 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3024 wrote to memory of 2172 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3024 wrote to memory of 2172 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3024 wrote to memory of 2172 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2256 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe C:\Users\Admin\AppData\Local\Temp\tmp2710.tmp.exe
PID 2256 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe C:\Users\Admin\AppData\Local\Temp\tmp2710.tmp.exe
PID 2256 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe C:\Users\Admin\AppData\Local\Temp\tmp2710.tmp.exe
PID 2256 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe C:\Users\Admin\AppData\Local\Temp\tmp2710.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe

"C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jmfa7irm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A3D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A3C.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp2710.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2710.tmp.exe" C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/2256-0-0x0000000073E91000-0x0000000073E92000-memory.dmp

memory/2256-1-0x0000000073E90000-0x000000007443B000-memory.dmp

memory/2256-2-0x0000000073E90000-0x000000007443B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jmfa7irm.cmdline

MD5 119ca2aff88029d0eaedbf2806931b6f
SHA1 00e8cc2e0d050d4f7aeb3d41d7be87bb2307fac0
SHA256 f9ee5f9356fa2c2c0068b3c726c7c52030e4196cafb5f786cfe1c7283c076900
SHA512 6a70be5b8efa150b102944921efb5b0f7eead5c26120304e279107a3040dd2104a6d6ea670b1632c9969a85a19eed3f09da0822b8e564cb40ec5572cc0dee8aa

C:\Users\Admin\AppData\Local\Temp\jmfa7irm.0.vb

MD5 a0ed08202668a8e1211d6c91ef2a4fe4
SHA1 eaa36d3b4acf9709170f90d77750ecffbe666773
SHA256 194c6d2777885eba6db8d865c5e345e7ccadd00c02a030874a53b65ad627e0c7
SHA512 907a922a02c503b01c9ffacd39bdf568cd7a9cb137907327c956ff8d35c6fd673d31c979e6d7642d3bf6de3771feb272fc3e96a37226853afeaa4ba00283de09

memory/3024-9-0x0000000073E90000-0x000000007443B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc2A3C.tmp

MD5 2c545739e11ec75b43c732be224e9c06
SHA1 69831d194d37506ff53449e3959e686aaef69818
SHA256 087f59c330af14282e40d58d100af4c7bf0edfa93b6084a3114bc8c06a95613c
SHA512 877dd1e393b00b5aa8f1f6dc62723a49b343497d4ba897e3a4612ba10d98d868e1959b77fbfa2503e540d88b6afad91b9ccff3a3dfdd0d360044bd329c16f81c

C:\Users\Admin\AppData\Local\Temp\RES2A3D.tmp

MD5 0f7605dedac41a14a4e9fdfb501a05bd
SHA1 47f25da513e4b1e6b2ec814d4b6bed8063297562
SHA256 c21212147871135fb9355ddbf8536a6068ef495a1419007435c432f96799a679
SHA512 4d34abffbefde18bfe13df025079d44c85dfe4c66dce560a67aaf7bb58be0f829c1ea930641afc4b0789ecc395ed9c06054a58c3a1afd3b0062f30774184ac8e

memory/3024-18-0x0000000073E90000-0x000000007443B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2710.tmp.exe

MD5 5d8370491f10ac8a30e7d1b9bc18d5ea
SHA1 e82fddabdb74fa1860efe86a0acd29a4a18e86d1
SHA256 547168016c1dd85e539f037c532d6f6454844ea3333120fdbf81df95444cb7d0
SHA512 aef6ab255494f6266ed599c2583aa25bdb9b44c70cd949bd218b260234b5e07f1e781275de1a5bd20ec335a772c2cbd3aacb093d1b67a50488a9efde472bac61

memory/2256-24-0x0000000073E90000-0x000000007443B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-18 20:03

Reported

2024-07-18 20:05

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1688 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1688 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4140 wrote to memory of 3344 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4140 wrote to memory of 3344 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4140 wrote to memory of 3344 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1688 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe
PID 1688 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe
PID 1688 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe

"C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hmmekqwj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES422.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3EB49971C97D4CC49374DA95CA6F7ED6.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe" C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1688-0-0x0000000074912000-0x0000000074913000-memory.dmp

memory/1688-1-0x0000000074910000-0x0000000074EC1000-memory.dmp

memory/1688-2-0x0000000074910000-0x0000000074EC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hmmekqwj.cmdline

MD5 f9d30196dc7019ca6fdc4475e37f048c
SHA1 87292ec58028c795db02debc7785aa265a5b3935
SHA256 f610eb7009bf20ca9b3e426c325e23c221d73c0ab3f87ec7e9b13337ee92f48b
SHA512 7b47dd01e7590ec8381b306c2212d9f502553c63d0e09b10a9fda33386af210e40dd6de7f5eb9ef7555c2675c489b4b19a9de102438135df3dc47d25f46e133c

memory/4140-9-0x0000000074910000-0x0000000074EC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hmmekqwj.0.vb

MD5 e25703dd8d710fc4e40dbd6f18449a8f
SHA1 9875911354c33b5594011566001eea7aea4b4f96
SHA256 b4269d6260bcc6e00f2b69a345dd1ad481903126f56f72830f0ac2b530ba619a
SHA512 dace14e0f77ecf46648353ef890669f3d9d8e1c90fe614861fc43abd08b2308b2c2a791137cfdc2ed0e8ffef5f50333ba87ae3a53866258786dfcaa2024b5b2a

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\RES422.tmp

MD5 98be2d105c10f8d137e215ce22cb768c
SHA1 0884de0cc0cfb51223c8440b0be74dc82a7374b6
SHA256 0e3859310624be0df10407459ed0a1b46347bd8b2fa7a5aec179d1694ed12533
SHA512 cc8c32331b67f40baec2dff303d960b9b5a1ccdc31840e3005cbf29fb335196732ceaec735be104dcd9483f8673ae0a814b75cc708c7a4b94a548e0a8b211041

C:\Users\Admin\AppData\Local\Temp\vbc3EB49971C97D4CC49374DA95CA6F7ED6.TMP

MD5 6f8992e132ef6f6f1a52542bac011b4c
SHA1 62de486ad2681df88d2fe2742b466eaad2bd0271
SHA256 3ea2fa0a4c87138afd132c1ebb3fade0434250d7dc03d70f0b19f50b0b5d8394
SHA512 ba9189d586ae34b28bbe6170c16b0554a66250acc93f583f26a8efa674c5f479c143d709b5344f7f30bb070e89faffabbf6a6af0ac69b82e880e04643d97ba8a

memory/4140-18-0x0000000074910000-0x0000000074EC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe

MD5 bd70df23d46abfa66c4f11754b8835e8
SHA1 28d01f0dfe4d474ba8b4334c823c08a9fd6a3dc3
SHA256 05c96422bf2517ebbc74faf54b0d81b750f627122b2048fa6dbf10e4feefab17
SHA512 ca518747cc1c8dc7dbe1d8adb438fafb9a32b84981930255517c2544919a541d22458a804774ade42286c9ac560b1b64e1ecfa733e7c8b51c8d0c35db1f26ea7

memory/1688-22-0x0000000074910000-0x0000000074EC1000-memory.dmp

memory/3424-23-0x0000000074910000-0x0000000074EC1000-memory.dmp

memory/3424-24-0x0000000074910000-0x0000000074EC1000-memory.dmp

memory/3424-25-0x0000000074910000-0x0000000074EC1000-memory.dmp

memory/3424-27-0x0000000074910000-0x0000000074EC1000-memory.dmp

memory/3424-28-0x0000000074910000-0x0000000074EC1000-memory.dmp

memory/3424-29-0x0000000074910000-0x0000000074EC1000-memory.dmp