Malware Analysis Report

2024-09-11 10:23

Sample ID 240721-db43tsvfrl
Target 537592d1e3899ffc46a2cde415c48a80N.exe
SHA256 9f173afd2aa034e4a10b342e5ec563ff25e2d6454769123a698985594a1a8ca5
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f173afd2aa034e4a10b342e5ec563ff25e2d6454769123a698985594a1a8ca5

Threat Level: Known bad

The file 537592d1e3899ffc46a2cde415c48a80N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-21 02:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 02:50

Reported

2024-07-21 02:53

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4E01.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4E01.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp4E01.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2432 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2432 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2432 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2736 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2736 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2736 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2736 wrote to memory of 2676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2432 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe C:\Users\Admin\AppData\Local\Temp\tmp4E01.tmp.exe
PID 2432 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe C:\Users\Admin\AppData\Local\Temp\tmp4E01.tmp.exe
PID 2432 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe C:\Users\Admin\AppData\Local\Temp\tmp4E01.tmp.exe
PID 2432 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe C:\Users\Admin\AppData\Local\Temp\tmp4E01.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe

"C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vj0nlbt2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EDB.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp4E01.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4E01.tmp.exe" C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2432-0-0x0000000074301000-0x0000000074302000-memory.dmp

memory/2432-1-0x0000000074300000-0x00000000748AB000-memory.dmp

memory/2432-2-0x0000000074300000-0x00000000748AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vj0nlbt2.cmdline

MD5 b6073256437fe6ff8b486b7bce6dbafc
SHA1 92f5cf027e43b6d037d076ddd2cc7b7389137e22
SHA256 eaa7bafa178ae9c72d981a5f90a2a8235e0cb69f1d5a97371afcda06548c9e68
SHA512 dbb76489558e890fd3cd0e794d4f70aa0bcf4261e83181a9701fe909e94e4b41b5012295737be951d994455cf5599d831a957ad522f1f512512891be41f3837d

memory/2736-8-0x0000000074300000-0x00000000748AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vj0nlbt2.0.vb

MD5 b96feede14b631edb189537ca2a8f6e0
SHA1 0e27529fd9379e45925f1ec12488f04dede082d5
SHA256 070ba1c76d8ffba7531c3360919df79e6858994a13de47b53014673d63d71ce1
SHA512 180c40ca1713f6a454bb534228945274e45582032365a43bd33aae5e71d0276c0d9d12a16923565085ea73661713d9ff736f33e1e40743d11ddb0c7481d6dbf3

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc4EDB.tmp

MD5 994aa94c6b0903e453c538e1f74fb368
SHA1 f0ab7c5b2b47df6e4a31148ad739e790921cd21b
SHA256 103609c91ad048c789e6c4f35cb02f282beae55b6a5bf9f3ef0b039e190397de
SHA512 aa6cf3b489d887828b59fc350781fe89ae7edb5094b2e1258ed77e0995c8c918748665fde921a6d490d7ba42ed71fa8fdabfea5b6c306c0a6aaa98fef862eb15

C:\Users\Admin\AppData\Local\Temp\RES4EDC.tmp

MD5 f06782ebf233f5eb8675e8450945193f
SHA1 b764955cee157f3379ed72111203389561a80d8c
SHA256 0f226139240df5b44070a76015eac548cb5618e27ff1c250b087b8f25a99985c
SHA512 a2d8717d1c684e724a8d10dfa479ec67104f541d9385f56b9a343438241a6b85844cde483a22e03addecaa379958df71b3fe1077f7689a51d42b4d24a090bd6d

memory/2736-18-0x0000000074300000-0x00000000748AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4E01.tmp.exe

MD5 4c61202d609f6ba1100cf71a90c6fa35
SHA1 83c95d3aa5b25a842739931a9919546b3a6b42c7
SHA256 caf57c984072a1e737f3440cf45425ff0ff48fadda6e575b5c67ee866f4f18bd
SHA512 c370fe0f8f2abed5819da8f6f820e3b2a740e8b65899ce42871595f43e29cc4b06063ac5035191628686db184c55a8e1c066c62436e2770616701039bb959904

memory/2432-24-0x0000000074300000-0x00000000748AB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-21 02:50

Reported

2024-07-21 02:53

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5032 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5032 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4844 wrote to memory of 3520 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4844 wrote to memory of 3520 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4844 wrote to memory of 3520 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5032 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp.exe
PID 5032 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp.exe
PID 5032 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe

"C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vbjehl7t.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC68C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB3455637BD3D48B699651F626A929DC.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\537592d1e3899ffc46a2cde415c48a80N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/5032-0-0x0000000074DB2000-0x0000000074DB3000-memory.dmp

memory/5032-1-0x0000000074DB0000-0x0000000075361000-memory.dmp

memory/5032-2-0x0000000074DB0000-0x0000000075361000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbjehl7t.cmdline

MD5 ed6482b99bca516b94b6d120b74746bb
SHA1 cd1bdb092024697397dcd31e3bef34ac8a1f016c
SHA256 861fb74a9aa63717cede1983b7cad4493f63dd5ddcf5a6a618092319d8f416d6
SHA512 91e4d193d51b74c81ed7e19787096f4c23914e6b6325df67eeaa9c4fbe280129f229cf099dbd4f3944a01a0c9e5f949868b1fd16c3f6797498917dc597a106e2

C:\Users\Admin\AppData\Local\Temp\vbjehl7t.0.vb

MD5 abf4ecc1f4f0cca825661e9dc5d357a1
SHA1 ae0bc77ef2a6f90610c09caf7346133e7f51e3a7
SHA256 bb32be559d0e336753cf1ee3e4f49150070846f929c801b97ba689660a856043
SHA512 296dcbca0486fb90e3f63962f58a5ab29af84f7848e0781f35c0ef79d855934a35559b3f48249bf4e0ac872b0e5fb3d210ac7d9ebd0c6d1ecdd8f4cd21e8f6a8

memory/4844-9-0x0000000074DB0000-0x0000000075361000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcB3455637BD3D48B699651F626A929DC.TMP

MD5 90c62bcebed5dcd7e2821fe026d740ee
SHA1 c04aff3573bd6013844e4d05564a75944358230b
SHA256 148d75578ee580060d82c1bdc70d8d6328b04ea546bcb68073df7a1e77219f97
SHA512 02b59ef7dd8afc78900dad37de17c2b9effa1e2fa3fa4bbccf102826f8f87b4e5ef6a7d9f6e81e61b384f708a893ffc142ef3ee44bd6b68af2d52e4d8d2224c4

C:\Users\Admin\AppData\Local\Temp\RESC68C.tmp

MD5 112d1e47fa86a3b2be080513aaacc6c4
SHA1 79448c7dc22ef798b8f7ee1086d2e436d8477183
SHA256 0c3751134adb27fc8c24601712c2b59ac10d2d5e6902d696f3f2358d31f69a09
SHA512 bd24700e3a46865b0e5cdcf30355f8ffa0bc92271b1e4132cc1050ee31e13b792cc4c174686065d8fa0a138887de4080985711a06dab455a993f185fbd7d4f6b

memory/4844-18-0x0000000074DB0000-0x0000000075361000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp.exe

MD5 3581a6a1ee824275b7f1702f7c96c8f8
SHA1 b5fa15e7a240b0b62a2872a4a1867fb9431770a0
SHA256 a67c08ea090d79c022da116d14dfbaf447c84e301f1b0458d7dd1dacc0bcdb71
SHA512 d83e170de6fc1c7aeeb1b49aa773acfe5ca57ef06ee544fce5804036701053159c6591fbd7239ffc31ca3674959329632f769ad9206a7caf70dff1d2af7a75f1

memory/320-23-0x0000000074DB0000-0x0000000075361000-memory.dmp

memory/5032-22-0x0000000074DB0000-0x0000000075361000-memory.dmp

memory/320-25-0x0000000074DB0000-0x0000000075361000-memory.dmp

memory/320-26-0x0000000074DB0000-0x0000000075361000-memory.dmp

memory/320-27-0x0000000074DB0000-0x0000000075361000-memory.dmp