Malware Analysis Report

2024-09-11 10:24

Sample ID 240724-nw5j7svbmm
Target 7eb691f7e305078328210e594ec87900N.exe
SHA256 dfadb1a98835ff8b2f88c84c544d7e1a944b37ea2ff085b56c44ba0337185394
Tags
discovery persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dfadb1a98835ff8b2f88c84c544d7e1a944b37ea2ff085b56c44ba0337185394

Threat Level: Known bad

The file 7eb691f7e305078328210e594ec87900N.exe was found to be: Known bad.

Malicious Activity Summary

discovery persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-24 11:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 11:45

Reported

2024-07-24 11:47

Platform

win7-20240705-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF93D.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpF93D.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpF93D.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpF93D.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3044 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2028 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2028 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2028 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2028 wrote to memory of 2216 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3044 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe C:\Users\Admin\AppData\Local\Temp\tmpF93D.tmp.exe
PID 3044 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe C:\Users\Admin\AppData\Local\Temp\tmpF93D.tmp.exe
PID 3044 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe C:\Users\Admin\AppData\Local\Temp\tmpF93D.tmp.exe
PID 3044 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe C:\Users\Admin\AppData\Local\Temp\tmpF93D.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe

"C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0c-ppye2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA18.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpF93D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF93D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/3044-0-0x0000000074001000-0x0000000074002000-memory.dmp

memory/3044-1-0x0000000074000000-0x00000000745AB000-memory.dmp

memory/3044-2-0x0000000074000000-0x00000000745AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0c-ppye2.cmdline

MD5 84a02c95d0af25e9cc84454bf22a8464
SHA1 b8513b5f0db4a8957baec31e6cc7d37da42fde42
SHA256 666730a2b7ff68dd963b989045479cd9510646487f009954987ac54f04737c6e
SHA512 199d973384703012e34da415808287c6c1494792d7fc1b910e94532f3ba3f6840b2079bdbfc422c35d4051b4450282c07dcf7712195217f72ccdf196e1f777e0

memory/2028-8-0x0000000074000000-0x00000000745AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0c-ppye2.0.vb

MD5 6e6c2932cc81ec3d5e7685e4aefc4b4c
SHA1 1eb5ab9a3be0ea45a1ca676cd2009811138ba39d
SHA256 ede75327262b842851e730153af0f9209937ddf179612ddc9d55e9d0e979c27b
SHA512 69bcbf8c96b32f23cad253fe43e26422b22de142caeec71de58d0d127e077728a0624ee08da8858ad603362b845b661d0486443e597f52ff8e8a818e475f131e

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcFA18.tmp

MD5 6f2e78081a46db2a2a72a948ff5734d0
SHA1 16414615fd6339613f6aa30e763f8ca1375e3f21
SHA256 89e8a03c1acce4d3885837625a5502574905973c62858913127749a23dee4bf7
SHA512 c439d12e4f6d418adcbd659d0438e1d46919a649f970f15624522649062543dc4dec7a6ce4cf5fcd583e74f4ae1b11d0c48611e721a4f1733399537396c2c8e3

C:\Users\Admin\AppData\Local\Temp\RESFA19.tmp

MD5 4fb267e597865291acfb97dcc53efc3a
SHA1 06c6194d75a7c27b7aa37d365c99a0e50951558a
SHA256 e15eddaf97b64f2678a2e8d8af026dd6f1cf9f1d4060fc6bec174b6dcf6494ce
SHA512 de39d5dff8d1867f328b6bbd610883b77cdbdf2167cddedbb4b03b60a128157437095908039ca358c499fbf77b061ba7a5a315b659520ba1bd0d877d4f8315d0

memory/2028-18-0x0000000074000000-0x00000000745AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF93D.tmp.exe

MD5 23e6eb205098fbd9fc69e88466ac8de7
SHA1 f75c60656915c5e9088693d6757f228d89cfef4e
SHA256 09ccf1f15609c916d94b67da95864ea130c2166ce1894fdec687f532de999417
SHA512 fe0ce144c62a89d92669625e21957a72c642e6660a7b17ed2b3e92d3c1acb676c2343a67e4a8c0ceb7c7d3de072e4c2f2c95677e15b745ce06da89f1daa6f3bb

memory/3044-24-0x0000000074000000-0x00000000745AB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 11:45

Reported

2024-07-24 11:47

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE474.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpE474.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpE474.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpE474.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 820 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 820 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 820 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 448 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 448 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 448 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 820 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe C:\Users\Admin\AppData\Local\Temp\tmpE474.tmp.exe
PID 820 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe C:\Users\Admin\AppData\Local\Temp\tmpE474.tmp.exe
PID 820 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe C:\Users\Admin\AppData\Local\Temp\tmpE474.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe

"C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tpjf9_mw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE639.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF45043D5C6154EFBA3AB218D37A66F26.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpE474.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE474.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp

Files

memory/820-0-0x0000000074C82000-0x0000000074C83000-memory.dmp

memory/820-1-0x0000000074C80000-0x0000000075231000-memory.dmp

memory/820-2-0x0000000074C80000-0x0000000075231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tpjf9_mw.cmdline

MD5 f992695d8b65ed18fe5f0ed3feb55bd0
SHA1 f2726e7964fe94a668515c0699573ced94b57ba4
SHA256 ae1c3a30df978109ea35ec369a84ee1d39d9caf9da219cde477b7f71242964c0
SHA512 460dccced229008d33dccc9299743e7712e9872ef63c5b55f4499efe939b066c4b4aaeb91be490614e8f511f85623b0b90aaa982f4ffa68a383d38fbd96eea99

C:\Users\Admin\AppData\Local\Temp\tpjf9_mw.0.vb

MD5 016038b7afd67607ccc40e206ea19c2b
SHA1 4c79b219fe86e36abd3798bbaa9decf6f8ff7f81
SHA256 d80cded9c711852a5729e055cfb15b4654ebe3e754ac3f6af8abecf90d839aa0
SHA512 1ccdc191b9e27f8e90a5a9d87002a5cde4f471dc3d54845f087ad4f514fe9ded7f4f8252abc61c50394a7a37253769c2bb1a32f780075f08910739bbb409caf4

memory/448-9-0x0000000074C80000-0x0000000075231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcF45043D5C6154EFBA3AB218D37A66F26.TMP

MD5 cf3c4312515d478d9dc2578ab7fd16d9
SHA1 3a055644aff164e8c8426bee7a7709efe8468f2d
SHA256 7c1fc5b904a6c81eadcfc5cc7714e6941239f26bf78b9394743d9b701d05e0a8
SHA512 aef69412353b75db8c17944eaeb5c01600ea318d95c58a576786e488f635783f810affcea1878892b38822ceab6a779f9887b4b87993cfaf99512293883e5420

C:\Users\Admin\AppData\Local\Temp\RESE639.tmp

MD5 f29727508d1584f963c626973bc7b5da
SHA1 4c4dcff94ea0c7c069e38f7f7949273117c27438
SHA256 b55bdf06853a6823932c7297fa2e2f7a2f1cbbac560425f8c7e4f7b16e05b8ae
SHA512 e8cbb6e5d931db8abcbf271e1bfa7195f84667a7d107ab45ae0f6ddf35443d8ab7eb392f5fa7a2d52f5f5b4c63b594b0c110116e81a282c0d0366338e7addba0

memory/448-18-0x0000000074C80000-0x0000000075231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE474.tmp.exe

MD5 fabe2560e4f277886e98f8654a63adae
SHA1 cb351b12b1d8302500466f74213bad1d9a7cf1f0
SHA256 75f1bc898b494ff4fd84ecac3e3a592619a4929dfafa7adb79fde37db4a80b42
SHA512 a6755cd5db63301511ace52ba7e3f562fa47f3d1fe419bd3515018010e450dd54946e702cd65e10332abc8dd5397ee2059304ea621373524302cf2a3f054790a

memory/820-22-0x0000000074C80000-0x0000000075231000-memory.dmp

memory/1664-23-0x0000000074C80000-0x0000000075231000-memory.dmp

memory/1664-24-0x0000000074C80000-0x0000000075231000-memory.dmp

memory/1664-25-0x0000000074C80000-0x0000000075231000-memory.dmp

memory/1664-27-0x0000000074C80000-0x0000000075231000-memory.dmp

memory/1664-28-0x0000000074C80000-0x0000000075231000-memory.dmp

memory/1664-29-0x0000000074C80000-0x0000000075231000-memory.dmp