Malware Analysis Report

2024-09-11 10:23

Sample ID 240723-27x66axelc
Target 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3
SHA256 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3

Threat Level: Known bad

The file 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Deletes itself

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-23 23:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 23:14

Reported

2024-07-23 23:16

Platform

win7-20240704-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1720 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1720 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1720 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 340 wrote to memory of 1600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 340 wrote to memory of 1600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 340 wrote to memory of 1600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 340 wrote to memory of 1600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1720 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe
PID 1720 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe
PID 1720 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe
PID 1720 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe

"C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qbbodjae.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4B6.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/1720-0-0x0000000074551000-0x0000000074552000-memory.dmp

memory/1720-1-0x0000000074550000-0x0000000074AFB000-memory.dmp

memory/1720-2-0x0000000074550000-0x0000000074AFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qbbodjae.cmdline

MD5 84218ed9bac345b3a01605b667021ca3
SHA1 b75f29e5e46a935b41fe5be31b47f380a32a874c
SHA256 7fed0dbf6ad5eb4c785a968c8193c15c6b2fa6c8b011f764d65845318699e372
SHA512 5f263180b1ab08db73424be6801f96cd5e4a37459a7c58addd86ea6c6b54f731e995ff7a5df5cdc02949b5c6afd6791d849869f05f5864a7240550526cafa619

memory/340-8-0x0000000074550000-0x0000000074AFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qbbodjae.0.vb

MD5 ce2d3c69c497834a4b16d556cbe73034
SHA1 3988203d388e57c074bb38b1bf282dff6bcc6f35
SHA256 66e72f9c71ffe98786b3e6352fab10e570c4d522c326e6e92ae228a40f880665
SHA512 5406518224110fe91dd934de75ceaa89741fad2b3fb211e2d2b94e3085d4ba57d1f55ecac7b78039366fcc492f2bd27672713bd2cff9ea8d2d38ac93aa23c201

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcC4B6.tmp

MD5 d030fc5acb50ba6c9ef8afbfd0b0f24a
SHA1 e9d5b2ec4dd2e1922b2e72a8c9d7c135f2a64ae0
SHA256 9a51ab0d8ac35a89c0cf3379698aa8f604d43fd50561dc045105ad5b5de549c6
SHA512 f431d6102901c9b5301c3d84edeba216fa32a193f90e315d48bba70d8b4142c7016c84ac72743c92e9dd5b254379dff7ccde3dbf2e0fc1807c03b18c98ee33a4

C:\Users\Admin\AppData\Local\Temp\RESC4B7.tmp

MD5 b3250071ac805216d1bd4e3262af4b70
SHA1 7067e2d62bdfa2fe4c4c04d7a581d57656ee7d79
SHA256 627ae831d2c2c14c7d033826654c4da476eee1810d1e735e7edbb140995c9a38
SHA512 78f800948169f595f89231551a7a7213668283fb01e2612e8047d8e7db6d2f53107033df46a79145b12b55df24bb95efbfd0069182ce3b6173420a571887f571

memory/340-18-0x0000000074550000-0x0000000074AFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe

MD5 54b777a9b938e971f2da53e3e40bafdf
SHA1 9e6af76274b61961b7ca16f683a0995e9d607349
SHA256 537599fa5648cddbb591e1e2e5b3d3892958e97d368310c49c03e0de8a267200
SHA512 b9da181bb300a9c51b7b8dbe65ad2b68d538cd4a1ace4d13a8161499436202261241b185efe95bd272a993c7bc860b7f3274299f96948a38bc00431c843c23bf

memory/1720-24-0x0000000074550000-0x0000000074AFB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 23:14

Reported

2024-07-23 23:16

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5A84.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5A84.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp5A84.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp5A84.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp5A84.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3988 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3988 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3988 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 376 wrote to memory of 1564 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 376 wrote to memory of 1564 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 376 wrote to memory of 1564 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3988 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe C:\Users\Admin\AppData\Local\Temp\tmp5A84.tmp.exe
PID 3988 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe C:\Users\Admin\AppData\Local\Temp\tmp5A84.tmp.exe
PID 3988 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe C:\Users\Admin\AppData\Local\Temp\tmp5A84.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe

"C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\of-75pfl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B8D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc32C905F9B81E4E68A3303B2A267EFE7A.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp5A84.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5A84.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/3988-0-0x0000000074B52000-0x0000000074B53000-memory.dmp

memory/3988-1-0x0000000074B50000-0x0000000075101000-memory.dmp

memory/3988-2-0x0000000074B50000-0x0000000075101000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\of-75pfl.cmdline

MD5 c58fb908e3f5ab9c16e3396959337b4c
SHA1 314056405ae869d77b43076dd305010475ecfe52
SHA256 d50d206c02c1a8bb68b920019b680a1cd772b542427525aa820b9e0de4555b73
SHA512 93b9ee04cc29fa09c632307fbfe4fcece44aad46229b0ea1ad42386506efb6aaf816b8f149d20d3db7a564566c951603f2d38f41ab2c68b1034b4aae01e8656c

memory/376-9-0x0000000074B50000-0x0000000075101000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\of-75pfl.0.vb

MD5 b0b53eb89254d18e1679d53e3035f764
SHA1 41c531986e0eba09c6f2a8aa194926aeb17db4cb
SHA256 0be85d9313ed85f492a588f932fbd81e3d7246f81757911f5a06863de1c43b95
SHA512 e2599802ac8329f803289ff46e11cfb61aad90196b2dcee24f001bed8cb5c4fd953a59bc11dff943e826a05a301be32b8bbf322475f7c5f5a9f7523a65845d63

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc32C905F9B81E4E68A3303B2A267EFE7A.TMP

MD5 f006ace099716b21cc1e7957d967c47d
SHA1 115863fb7afef6eb7bd4be3196b169323bfb224d
SHA256 2f61d508982fc4846334ecd9347204900c9e4042d796ac4e4da9387de99829c8
SHA512 14d79fff9d8178887b117086cfaab83713550df430d58f47c29b7b6694558abafff2933e3789528f6fbe6b83ec93d0668dfb481981d370cbbf5c27baf1a25ef2

C:\Users\Admin\AppData\Local\Temp\RES5B8D.tmp

MD5 5e349ee72b8e2bff1cb1353d2e5fffd7
SHA1 ada3a92b36290e1966312ac49f202da416639a8b
SHA256 4e8eca45d64aaa533b7aaea43d4c8dfdb44322a0023970866247ec96b8dd459c
SHA512 ba6549e10b514d5e99189ba379e93303b90fed9de65f657f8117ff04b8023ea503bfc8101eb96ca50b0b45617b0a70bb41d6753309322a5b948d37224ea493cc

memory/376-18-0x0000000074B50000-0x0000000075101000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5A84.tmp.exe

MD5 90aa16d0df9ea6ec9395097d34a936ba
SHA1 53674d1856c9a98f527e547d6a2a335698b7284e
SHA256 31141c17f316cbb3a8cdad55e7b538d93714224d6211c508717c734ccba87e60
SHA512 eb048a303ff596cf03270bac2740503a62c5b8a7fe1250163bb24ffc76c999acc321ed84fda25359600df388783bd41904dfca78d873f256ed1aa1695e6152e1

memory/3988-22-0x0000000074B50000-0x0000000075101000-memory.dmp

memory/4728-24-0x0000000074B50000-0x0000000075101000-memory.dmp

memory/4728-23-0x0000000074B50000-0x0000000075101000-memory.dmp

memory/4728-26-0x0000000074B50000-0x0000000075101000-memory.dmp

memory/4728-27-0x0000000074B50000-0x0000000075101000-memory.dmp

memory/4728-28-0x0000000074B50000-0x0000000075101000-memory.dmp