Malware Analysis Report

2024-09-11 10:24

Sample ID 240723-dpg58avdjr
Target 584c0b6241c94a0bd06ad1be57123a30N.exe
SHA256 69f3d632778bcf461afe7e9288181da90e54473b3a3f2c6be2b56df861f1b7be
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69f3d632778bcf461afe7e9288181da90e54473b3a3f2c6be2b56df861f1b7be

Threat Level: Known bad

The file 584c0b6241c94a0bd06ad1be57123a30N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Deletes itself

Uses the VBS compiler for execution

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-23 03:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 03:10

Reported

2024-07-23 03:13

Platform

win7-20240704-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1924 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1924 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1924 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1936 wrote to memory of 2788 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1936 wrote to memory of 2788 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1936 wrote to memory of 2788 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1936 wrote to memory of 2788 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1924 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp.exe
PID 1924 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp.exe
PID 1924 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp.exe
PID 1924 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe

"C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3ckpluyt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9648.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9637.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp.exe" C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1924-0-0x0000000074021000-0x0000000074022000-memory.dmp

memory/1924-1-0x0000000074020000-0x00000000745CB000-memory.dmp

memory/1924-2-0x0000000074020000-0x00000000745CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3ckpluyt.cmdline

MD5 655066a24eeb56c373bf371c02d7fcd0
SHA1 20c478ed7ea7ac237dfd202a84c058640dbfee2c
SHA256 eead908b5ee0391e0114b61bee8b4fe0bf075ff54c75b4c761aadeaa69192da7
SHA512 e9aee5bdaf234a531680a87bcfb2fdcaaa7e01624023fde59b06ef1f2488f9e6b0699d7ca68d6d920b2de65793e90e4e59683cae642fda4a2f85e8316e160aa9

memory/1936-8-0x0000000074020000-0x00000000745CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3ckpluyt.0.vb

MD5 cbc8e3899969db9634bfcbe0e328d883
SHA1 7851584ce2959323dc4491afb73332436f30ea39
SHA256 13d13c5d563f31cc9f374580464fb3dd12aecbc9e8141af20b42f1643eb3800a
SHA512 0cb0866293634d1363c1cbeb2d023bd010d41dc3cf1c31e6abf9eef2dcaffb96a1d40ee89df4f8c59bef298d620baffc2b7ecb3245da015d368fa76ad372a88e

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc9637.tmp

MD5 5e41b0b937a453c32b5e235421c1f00c
SHA1 a1a51cf15ab6910d01be111ded6b28202eaead90
SHA256 b7b00d1114312fbafbf42cf5cc1c0b084fb5df0313bc8d529377f1486806bec6
SHA512 b88d72908634c6ac2b8c8ac81f54d7bbb7075edd6802d0f4659535c464f315a82f03fcb560fffa6279eacfefe741fb2f722fd055177dd2a1268b212ff5657cf2

C:\Users\Admin\AppData\Local\Temp\RES9648.tmp

MD5 02179fb1f25f24a3380b9460cf7a9ef9
SHA1 b8936495e490ca017b27946ec2de0402b8ed17a9
SHA256 efde9e5e1b537cfceddf0d9b87d078e618862e84f9a850a9180a831757b9cb20
SHA512 210309a9495c44a353a98b80772cdf5dc2f0d8eb4f473b2e115b4948e551a97f0cf2f41d5ac95d801ffbe5211089f548a3fbcada5778f025ee5abc3f7dbfef74

memory/1936-18-0x0000000074020000-0x00000000745CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp.exe

MD5 ae8ab3250af9cdbb14afe3e813ec8f29
SHA1 331e782bbe2cae03fd96cfab51b66aaa208b6578
SHA256 7825c29ac122e27ddfd4d91faae163ad370b7a205f45fb89e2fa0519ae1f1c02
SHA512 df3e0f521f8096ce6633bbdb10be1ca5057f5d79e637788964405ecd355bcb13f70f6af7fc05c85352877863f5999c34348b0398e844f69fba912ac31237ef51

memory/1924-24-0x0000000074020000-0x00000000745CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 03:10

Reported

2024-07-23 03:13

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4588 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4588 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4588 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2100 wrote to memory of 4100 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2100 wrote to memory of 4100 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2100 wrote to memory of 4100 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4588 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp.exe
PID 4588 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp.exe
PID 4588 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe

"C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pr5oteg0.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc572F2FA62314697A684AD2CB1F7E848.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\584c0b6241c94a0bd06ad1be57123a30N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/4588-0-0x0000000074D52000-0x0000000074D53000-memory.dmp

memory/4588-1-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/4588-2-0x0000000074D50000-0x0000000075301000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pr5oteg0.cmdline

MD5 7c33db835f646da122f244d71b3cbe6a
SHA1 9b3e8f3e93def8d371c28c7c64dce7c269a871da
SHA256 95c50fbddacb9a68bfb56b8f3c2161ff3736ccf70fb1f32f27cc5e8298ee738a
SHA512 3d1065d3ff0332c687ce2c36ad181e88531ffa7cc66d3e203dd728a9790362a6b106ee0656e83f7c0f9a505a4dcd40ff6edffd67b68f030093c490e3d3987f38

memory/2100-9-0x0000000074D50000-0x0000000075301000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pr5oteg0.0.vb

MD5 69dae149936ec2beea5cddbaa099da55
SHA1 6fbbd63b8e43fa3a7eb62287306035bed5e4c50b
SHA256 51c35e8d0273a7a822ad8b8bab48869546123f0b4eaf710d5b2b50807ff18bbf
SHA512 951a4afe4a183efb6a6a3ed06492e8203100948d650761cfc7ef02af9bbadce65ebbb8f5468b489f70f6174589a7d4e4157e04fef86af6ef0b2c966f34bc4f27

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc572F2FA62314697A684AD2CB1F7E848.TMP

MD5 b1aa6d0ec96363c4f361a0091a143ffd
SHA1 b4b9bf103490fb315faea7edc47dd280e5b9b057
SHA256 1cd1549c50ef53cb263f93e0d86fea7911910ecf290019c3d0fcf2125a25dc9e
SHA512 902a90c689a7a28238d9a7af5823a69e0d10a33f65ef194a53c76b15c1eeaec46a10bb1ee6fab33b095acf525826423fd3389516f41385fb7302e21653f66e53

C:\Users\Admin\AppData\Local\Temp\RES74D2.tmp

MD5 99a580fb975a2e53889da5c847bf1a5f
SHA1 4647e38b0f0189fe76e9de5daace0040dd045a5c
SHA256 3eae3a42ce5ff112f34b1d6ca7b7ea7db0135fa1c1e6950d66fb6e140c18a880
SHA512 d39962b06841f9570865e06365de1efd462936c07ac0f265110bd509474f7d9fda3b997246fdcd689b7338a70cad33dd1ebbb4bdd6c03125054ca04547d20858

memory/2100-18-0x0000000074D50000-0x0000000075301000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp.exe

MD5 da5ded5c3000f967cc91e12fc7647267
SHA1 7d89b88311beb16427f87da534bea464acd4fbb8
SHA256 1a0c200ad1dc381111772291d1379e1217dd02a68d49b2c7e95ef5c8a9603dab
SHA512 df31ba24d75effa324f0386cd489d4244215a7f34e8815189c895c03f6e8aa8c6fe15db715217af6727393658dbc7e6b545c895af6e40c14b32b3a9dc67dafca

memory/4588-22-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/4696-23-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/4696-24-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/4696-26-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/4696-27-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/4696-28-0x0000000074D50000-0x0000000075301000-memory.dmp