Malware Analysis Report

2024-09-11 10:24

Sample ID 240719-czc4ksydkr
Target 4055902531fb7712981860ed1279b730N.exe
SHA256 384e3970d7a4d9a1644f47ba61bef95a6687a3d9c2345aa52899c3ac9d556959
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

384e3970d7a4d9a1644f47ba61bef95a6687a3d9c2345aa52899c3ac9d556959

Threat Level: Known bad

The file 4055902531fb7712981860ed1279b730N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Checks computer location settings

Deletes itself

Executes dropped EXE

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-19 02:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 02:30

Reported

2024-07-19 02:32

Platform

win7-20240704-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC66B.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpC66B.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpC66B.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3064 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3064 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3064 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2304 wrote to memory of 1284 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 1284 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 1284 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2304 wrote to memory of 1284 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3064 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe C:\Users\Admin\AppData\Local\Temp\tmpC66B.tmp.exe
PID 3064 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe C:\Users\Admin\AppData\Local\Temp\tmpC66B.tmp.exe
PID 3064 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe C:\Users\Admin\AppData\Local\Temp\tmpC66B.tmp.exe
PID 3064 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe C:\Users\Admin\AppData\Local\Temp\tmpC66B.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe

"C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h7axlf21.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7D1.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpC66B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC66B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/3064-0-0x0000000074821000-0x0000000074822000-memory.dmp

memory/3064-1-0x0000000074820000-0x0000000074DCB000-memory.dmp

memory/3064-2-0x0000000074820000-0x0000000074DCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h7axlf21.cmdline

MD5 09a84233097010ef918366f2f0b96874
SHA1 5e892a621115c541126d1a7f02b1dac3f43d4d66
SHA256 486fcc2d21ca2c81154807badf0437c06493bce76db2e1ed50845d44efd23e8f
SHA512 5586c851f941faf8283f4c866a3e4d6166aeb496e5a0ac2ce2a3ef9fa700ad0db9db212fa34dee65be5f2c11a99e8b1b6e3e589bcc1b27d189274aa34ee6f66a

memory/2304-8-0x0000000074820000-0x0000000074DCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h7axlf21.0.vb

MD5 599ec997ac2d176ca8af0ef2f101c6df
SHA1 76cbf8c5333a15d49168613277ee8b329b670248
SHA256 9ac14b31d369ea0d5b71cd895f17fe8ead017e18e9bc301e3ab4648b8d4c5c6f
SHA512 f87f2c0536a34c7fb2f92f384909010164117f7839531560cc9b9ce97e1de71cfe9364b20d734697cd9a49aadcdac2e6adf7fa6a2dc0b6846fae03fc2539634d

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcC7D1.tmp

MD5 a88622bccea08eb5d33d6e216639fffe
SHA1 46ab66f77fc57762c555c4a43939ce2f93013ed5
SHA256 1641b786bc199f171b648c028bf562898d83e90f2f6f24ae3e36d9ba36939e9d
SHA512 7a674f4da3bca0f7747eb96b4afaf360fcec6080abc3f18bf782b3e0a7f92c328ca41b577fb0e9e1d1741f5becd3bcd3da08eb3d7f5a07c81b5a0fe3bdea4913

C:\Users\Admin\AppData\Local\Temp\RESC7D2.tmp

MD5 58795e5264392e16d11ed63637615326
SHA1 c0b34c910eb837fe38fff4644b61b25ba7d15a08
SHA256 100238945829f7202151e952fb202da8b8cf72e3ddf1da9fb61767a4af25cec5
SHA512 0f7ab653d3682b7e1655973d7f874485e144b53b97b5e79924120c31251d166c65b3ffbf580eba6d8a45719b140e7ad2f7c3ef1a8ef9669921bcbaa988f3411a

memory/2304-18-0x0000000074820000-0x0000000074DCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC66B.tmp.exe

MD5 8f1f272e8165e86222de5c38beeeb8c7
SHA1 45b662042dbc71b2be8d2773e7cc3148b457188f
SHA256 0075da70be44d3d1479919c35f4d517ac78beaa98592d6c72a854575ace68392
SHA512 1a00902cc54b6fab08b750d84aa2e3e8ff940c55fc9a21d3fd7f6b7ba378aca1a3893640bbb245e6452f34c1ed779b6ca2c0989c5ff2c99f80f221cd4134c077

memory/3064-24-0x0000000074820000-0x0000000074DCB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 02:30

Reported

2024-07-19 02:32

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2704 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2704 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4004 wrote to memory of 2196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4004 wrote to memory of 2196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4004 wrote to memory of 2196 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2704 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe
PID 2704 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe
PID 2704 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe

"C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\viehy7gk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A43A115838B42F4972F27F5C72E46AB.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4055902531fb7712981860ed1279b730N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2704-0-0x0000000074E52000-0x0000000074E53000-memory.dmp

memory/2704-1-0x0000000074E50000-0x0000000075401000-memory.dmp

memory/2704-2-0x0000000074E50000-0x0000000075401000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\viehy7gk.cmdline

MD5 ef780615974dba04c569efe5b30ea825
SHA1 0086e506d75e5c14e668a5133ab6dac4b6f25b8a
SHA256 d1b68dbffd1e0c4ac19bbd279df80a73d1a576f8ff30f63a0b1aa8f739267d25
SHA512 01680527adfa34ea1edf9bdb64e066dc954fd9aa84465745e35424a808f166a93b0f7050002b760db5fb1d26b9fb3dfa0aa4ddc87b0a3e5841ebc99ca6e90d2f

memory/4004-8-0x0000000074E50000-0x0000000075401000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\viehy7gk.0.vb

MD5 0c0962cb88e119e1fb9caa8955cbb1e9
SHA1 bb0a4e060b4b9a45f44483d9672a4fda2910f072
SHA256 820f3c5d6f2ebd6ffb4a4226d713b048e980b23ab2943b69984c43bb69902592
SHA512 847ec65b25cddc0078bdb187b02da4d8848de882730e7aeeb379a59a2769b40d8ce25c42254ae8ddaf9c769c7c8e78f5f71866b0c19ae6e8e1bbf127d8e4ca77

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc5A43A115838B42F4972F27F5C72E46AB.TMP

MD5 223a0a70a43c302f105e2668b2b0d59f
SHA1 aad8e316b55ab586fe8eb1cb6fe64ae62278b08b
SHA256 15839e7c0e4280b8f57a8e0d8eab6e80291af0d90ad8c7c6177ab7db03b9f5f1
SHA512 b399593e67d09a599ff018766c2c7ad78de53854abcfdb8df7f874faca13f5239559868fad002dfdbdd2aaca5f3c121014fd58d673671e607af58e3572cdbae6

C:\Users\Admin\AppData\Local\Temp\RESE8AA.tmp

MD5 fcdb3d512e3eae776ecae9c7013eba3c
SHA1 e18ebc2480b4e7472d7550740c5d1a8494d81e63
SHA256 4bb5eda03c1acf309148a0678c146af075c103af38cb78a8156db2812f316bd4
SHA512 af9cee8c4a88825c43d8193d70e01bb07bcb3affbee72f76a3e3af2ff42259c63f85dc0530cd5e920da7c98e19e953182024e8b25686f9dc4625f11e347da294

memory/4004-18-0x0000000074E50000-0x0000000075401000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp.exe

MD5 974a67b71cc35a0c6b60577ffa7aa125
SHA1 8feb15a0bb559cbe1acf89633945009d279fda2c
SHA256 882bcb80e9b83277f7c3c6d3f9669731c6dc8245c40177373b6f6faa0a84b8a8
SHA512 709baea2f4873a76ae545de873e3633146b32b36b3fa14073f5b8468faeacfeb131a37b7509089b3b246d1b7d4115eaa9198ad72ffb46f14fc730a869380d342

memory/2704-22-0x0000000074E50000-0x0000000075401000-memory.dmp

memory/4756-23-0x0000000074E50000-0x0000000075401000-memory.dmp

memory/4756-24-0x0000000074E50000-0x0000000075401000-memory.dmp

memory/4756-25-0x0000000074E50000-0x0000000075401000-memory.dmp

memory/4756-27-0x0000000074E50000-0x0000000075401000-memory.dmp

memory/4756-28-0x0000000074E50000-0x0000000075401000-memory.dmp

memory/4756-29-0x0000000074E50000-0x0000000075401000-memory.dmp