Malware Analysis Report

2024-09-11 10:23

Sample ID 240727-gbkkzazdml
Target 9a4b57bb2ade93773070d3f4c171f970N.exe
SHA256 2b4edbd97dfbaccc7d82e2e19149088172f5a6f46da5ae30e15a6574b0afcc5f
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b4edbd97dfbaccc7d82e2e19149088172f5a6f46da5ae30e15a6574b0afcc5f

Threat Level: Known bad

The file 9a4b57bb2ade93773070d3f4c171f970N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Uses the VBS compiler for execution

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-27 05:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 05:37

Reported

2024-07-27 06:00

Platform

win7-20240705-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2272 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2272 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2272 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2820 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2820 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2820 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2820 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2272 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.exe
PID 2272 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.exe
PID 2272 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.exe
PID 2272 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe

"C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nc1kt2hf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94B1.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2272-0-0x00000000748E1000-0x00000000748E2000-memory.dmp

memory/2272-1-0x00000000748E0000-0x0000000074E8B000-memory.dmp

memory/2272-2-0x00000000748E0000-0x0000000074E8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nc1kt2hf.cmdline

MD5 017ee2bab7e64d8e39e9e537e349b801
SHA1 2cfb4b34743b430219a6e678157d5f1d0fdd3fe9
SHA256 e2ac17c12ad7fd75b2eb58e7527645d7e91a54da3e5a91d89fb3de92290e274b
SHA512 1c908b0c6a1ae0ab2d795524e3676c1a92ee57b0eee577a952be0924b5008c6797a7d91ab1733ba5d61ecc79dc8f82500b3177a532429edae8ae9d3b59bdd184

memory/2820-8-0x00000000748E0000-0x0000000074E8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nc1kt2hf.0.vb

MD5 c42ad67e2aa92733a79bd6ba757105c7
SHA1 351a1657b30ba9cd5152b88c89702a5558cdf523
SHA256 ee7ee91288206f689c9db88bb4258f920816b266655819eec02c8114e46e3939
SHA512 6b33143496179ec396ed6c974f48ce7616c80e78e70ab74b027ef60c517ffa4efe6ec871af41443d8f6a80a6151393fd4d9e0b1e45de73b4c2969c7b4da88ad0

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc94B1.tmp

MD5 dc1a0e8ae4a2f8f42effbf7675e49f9d
SHA1 c2fecfc3dcba9498859f3c7e153d9f6d8fd33123
SHA256 5b268273d22850cab4640f5571bcaa3f7288dc382162a748299bdbad457cf3a0
SHA512 94b92f2950973637f78333f35e1822ece134fc4ac4ac184fc1f466471e46279d400be78d96fb0662a572dd2ab6b4e4170d7303dd2bb0b8671cae888792faf35e

C:\Users\Admin\AppData\Local\Temp\RES94B2.tmp

MD5 c10ea92bef748fdd2894ef6543fb5ac9
SHA1 22c70ec6b8806c13502d2d043e45446f07da91c9
SHA256 6a752f494da17a83e5a60e11d337f24a11b7c13decadab7a6bf60b62a4cae23f
SHA512 6677ac3fa6e8612788df27026362c46b15cf68172abbca5cce14c97b258111372d9ccc68ea1ad8cc8479b6ab2b535d22f04bd11e42acc4be533e2d94b3bd576e

memory/2820-18-0x00000000748E0000-0x0000000074E8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp.exe

MD5 afdd715f918f2564dd2d6f7d3d6716e1
SHA1 21540c4c874453564e43cfe4c645a5c38a5cff2b
SHA256 52efe22d36049ae0325e5fbb07d0f0ed0878c3cc28a8fc49f6bc6f1a76e63ae7
SHA512 2508c077cf06d3af4c9de7b9700a9333a8d7799b9fbf7d6ee78f42ee0bc496fd595caa014e66049bfca458d3ce89a4c76a31c120f0a95df1173d6dd89ed46628

memory/2272-24-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-27 05:37

Reported

2024-07-27 06:04

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA690.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpA690.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA690.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpA690.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3952 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3952 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1804 wrote to memory of 2028 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1804 wrote to memory of 2028 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1804 wrote to memory of 2028 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3952 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe C:\Users\Admin\AppData\Local\Temp\tmpA690.tmp.exe
PID 3952 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe C:\Users\Admin\AppData\Local\Temp\tmpA690.tmp.exe
PID 3952 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe C:\Users\Admin\AppData\Local\Temp\tmpA690.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe

"C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k37ia8ts.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESADD4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BCA5D62400846F6A6DE9E12F47BAEE.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpA690.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA690.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9a4b57bb2ade93773070d3f4c171f970N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 udp

Files

memory/3952-0-0x00000000749D2000-0x00000000749D3000-memory.dmp

memory/3952-1-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/3952-2-0x00000000749D0000-0x0000000074F81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\k37ia8ts.cmdline

MD5 af33933c263078d97763a8a57d75892a
SHA1 0d6040e8413feb7785e230ebfd31adcb70c73dbf
SHA256 835ddc44c6476455c546f3fed7d38cdbc403620855b004775268c474433c393c
SHA512 41cef66dfbba0ab64dfe423c72735e97238590a99a4734794018414b7738b91fec12b1562db11e14677533ec7ad7e09c40e47a4c7a6ed07d2159d6921f79469d

memory/1804-8-0x00000000749D0000-0x0000000074F81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\k37ia8ts.0.vb

MD5 8603d868a2934a6f3b0f4f18dbf3c47e
SHA1 670f140dbff62f493f7306cf581fbb0283da1674
SHA256 71128e732891f87e038fbe8670c669d0510f8b683099f12206fbe2a402d36f06
SHA512 5b635738f3cd12c3d58dd1fdf97e2c6a870f7233380e39c2704fbcac0d4960fc9f041e5c913b7b84380e94e12b28dff1061d193734561fece5cb40b58e54d459

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc2BCA5D62400846F6A6DE9E12F47BAEE.TMP

MD5 a85c69d88e5e5bfcf115276e930c4e71
SHA1 edcd730dad173798ce8f02f0da28801f83787b8f
SHA256 3c9f8b3ab5bd54f95c1be1b5c95c674d11bbf2894b08728152c9a9ae8a9f50e5
SHA512 581a9d03e5348160f4b3ff9f86523dddd90f60ab299636ccd51d72ed577dcb390ba2981c3530a3cdcf234df6c81160306be7ab21eadc988d015198474d3bce2c

C:\Users\Admin\AppData\Local\Temp\RESADD4.tmp

MD5 a89c0d4f7dfe41d6e26c23262e8975e6
SHA1 45b7a4ae83b0de904a823732dc2db6f99670d8bf
SHA256 83f9a98e8b9b1608eb1e982ae690a334a5b7bf373bb188b52eed0248c9252423
SHA512 6f8af395168ba3bf9ae39347833873c471aaed5bbc1e3f218caead2e9c1b5c71cafc0fbd95c556faa2dd363a201287fdbda9f0adfe0023e91f7166eec4fb01c9

memory/1804-18-0x00000000749D0000-0x0000000074F81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA690.tmp.exe

MD5 18d29dadd9e13a1e91e0757dd0bffdf3
SHA1 de2e86e1885d84f72fafc2c5ea07a120297f5c4e
SHA256 880958e6bf49b3dd0014dfc16ba6d8508e0b1be3aa0ae8fe41abcd8dca18ebab
SHA512 109e4a9d762cb509faabbcdbc39bd12c4273fc1ff4c2db71c5764ca4bb01481357170da14ed598815365864c43f0c7b9f8243e6c48961cc03630393e3c55865c

memory/3952-22-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/2288-24-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/2288-23-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/2288-25-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/2288-27-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/2288-28-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/2288-29-0x00000000749D0000-0x0000000074F81000-memory.dmp