Malware Analysis Report

2024-11-16 13:11

Sample ID 241109-b2rjbaxjfn
Target 9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713
SHA256 9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713

Threat Level: Known bad

The file 9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 01:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 01:38

Reported

2024-11-09 01:41

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1976 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1976 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1976 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1800 wrote to memory of 1056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1800 wrote to memory of 1056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1800 wrote to memory of 1056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1800 wrote to memory of 1056 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1976 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp.exe
PID 1976 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp.exe
PID 1976 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp.exe
PID 1976 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe

"C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i5vo3lhg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA91C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA91B.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1976-0-0x0000000074251000-0x0000000074252000-memory.dmp

memory/1976-1-0x0000000074250000-0x00000000747FB000-memory.dmp

memory/1976-2-0x0000000074250000-0x00000000747FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\i5vo3lhg.cmdline

MD5 ac3d32ad021bba7260068221c1a02321
SHA1 4574fc46b41852a5cfddcce0b2b4b95bbc18562f
SHA256 f7ecbb84ad1253479ae7a109da6dea2fe531f9bd628b9f8e395e7cbd70424bc9
SHA512 10dbe98fbda9e9a4f83b7098e6d77487e6b2629ae85abd0539119e9d22973ab9f762aedb19a4f6e5048ffe89a4a9d7e19534ed0da7ca4a6c9d617975bf49d29d

memory/1800-9-0x0000000074250000-0x00000000747FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\i5vo3lhg.0.vb

MD5 05835b86fda588262af0cd5a25d9925c
SHA1 fdd57e81c9d730adb7d4292c00aa0d18db4a480f
SHA256 48f08ab8f8d034188ff1b0d73d6c9af20c2e51142c3d643606405bf368eed1cd
SHA512 07a7deaec1ec7dd4631b4a6c37827f5b48a9c395555edb148fac465417910ef165266da37088d32ca2d9eabcbb2b79ea4aad706474d3eecdc809e09bbfa2723b

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\RESA91C.tmp

MD5 c1d71456c87c4407d4870edaec24e2ef
SHA1 d1ef4bc7a2edef630f44242ebe2be8fc07dce32c
SHA256 09a1c5b22b9522ceb6ce25da8dc98b48079ec001a60fcb120aa13b1b562eb8b1
SHA512 0798857432663a0a081c8b5ae08854ef59f3c7414314b6f36952789f420fd28fe269c7f8179a4bf3753f1f54aac01d797e6e1f8e2d97a3cee7834b9bc4ff6ae2

C:\Users\Admin\AppData\Local\Temp\vbcA91B.tmp

MD5 74dcc24af3d1332ac0ba7990c4609c4b
SHA1 4aba0caa0fc01770b2b3e732a435eecd7780ff3f
SHA256 582267d9944e1d894c034e07ebc910c3778b4ed583dbb821e92e95626d0b10b6
SHA512 39c4ea896ff6df0961a2bcf9880515a6f4f400fa7c0a81255c1ee602dcc23cfa8d2b83abd96a5f83955e0ec985cd4c20dace228eb97d9fa3e44837bd3a4f2827

memory/1800-18-0x0000000074250000-0x00000000747FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA850.tmp.exe

MD5 b4e084eaad42f350181bdc88a8e92c03
SHA1 05f76988858e819d1a5fcea553529a9a9ddbc7db
SHA256 41e99d16369b1d8d7e98c6333197b8390e5fc0b7084d577887662f3f9d340fb6
SHA512 42c7ee693c2ac50dcb9c03c5832414c95e88997d154a8b9f8acd34428bb610a1f8a5ad25e1a590de7f4ff4b3105ec3ebea8008cc083e18094fcf44119834e37a

memory/1976-24-0x0000000074250000-0x00000000747FB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 01:38

Reported

2024-11-09 01:41

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAD38.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpAD38.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpAD38.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpAD38.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1744 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1744 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2656 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2656 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2656 wrote to memory of 2952 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1744 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe C:\Users\Admin\AppData\Local\Temp\tmpAD38.tmp.exe
PID 1744 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe C:\Users\Admin\AppData\Local\Temp\tmpAD38.tmp.exe
PID 1744 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe C:\Users\Admin\AppData\Local\Temp\tmpAD38.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe

"C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d1nilcrl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEDD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7BB6394E664B4DEA89CABCD1CB84B6EC.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpAD38.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAD38.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9bdf2f340d274b49caf05000e9abe9245c3e4fe4f4478292160c506176a50713.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 udp

Files

memory/1744-0-0x0000000074F42000-0x0000000074F43000-memory.dmp

memory/1744-1-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/1744-2-0x0000000074F40000-0x00000000754F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d1nilcrl.cmdline

MD5 321f282acb4f9c4f7e7497f392201f2d
SHA1 3abe4926f727a43914f4b692943b199bfdecf197
SHA256 6bdafb9ee5c9eee9a55fd0c2ef1dfee028bfe3c12141b67d678b3d86f2dcc5c2
SHA512 52d85aa707c186041a85c1bddb0ed8fdf3dcaa462a9af2529db2dc26b65b933edd9af3edbf6866e216d7e6b96f9eeccde2865c2fb12f06c08aa8021e450ecf93

C:\Users\Admin\AppData\Local\Temp\d1nilcrl.0.vb

MD5 3ec36822b50fc4d1606045e4e00a511c
SHA1 71a9762edc772852c1d8e6deaa9432e67b576de1
SHA256 a5ed12c5f52c4470186c6086b49b909e4de5ffa201c94cb338ca7d3f1244a457
SHA512 9088aca1006f5ed788093e081b2700482d6c6dcd30fefdd3b2460c7570a4482fd1bac51ddc5e82d3649f57db1d4512a96a7fc02f7dbd8bdb71087b0da6588b3b

memory/2656-9-0x0000000074F40000-0x00000000754F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc7BB6394E664B4DEA89CABCD1CB84B6EC.TMP

MD5 c3474e2b9d53470a25ddaa4aac2c437b
SHA1 ce3e7c0e40fe999c44c11797ce9015b2f5ab8c6f
SHA256 8d260cd83ec4b65b0f81804b2a713900b643a3f05bd4bf3017c8ab47b5cfcfe1
SHA512 3363e50559d3ccd73ac6a7649a218beaaaeb7f10b1ac8100d0eb9d85be446b068e6471cf6073794ace3b4a936a0f052df60cb98e3a70b66f45f755442d10138f

C:\Users\Admin\AppData\Local\Temp\RESAEDD.tmp

MD5 4671807bde8645ad4920214cf1af7b55
SHA1 0b23d0f29a27d59484849643ad3e5fa293dfedbd
SHA256 7586b06fa2f4da3e3964461783656f1c447b035a2fe588cbe5eab2beb67331d9
SHA512 3a41074881888172a2c4abb8cda1085fd538b7cf1044f7bea5eb775cb62e3cdbfca3d580f5f4fbd84f255994897f9a651526142edf205894c7c6d7d087e80650

memory/2656-18-0x0000000074F40000-0x00000000754F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAD38.tmp.exe

MD5 19a02c8375fb7eb3732b26710f8a7a76
SHA1 b3c077eb13421cfa298ac354cf5ed956b7130bc8
SHA256 d283c626bf0f9239439beb0fc2328f2b6cf4d3a14b9fd6d78070e41c5d9fe2d8
SHA512 cfb81a93a10ff4878cca4e0abbe51e883194d3dcf6d745ea460cc38967823d827b85254eb3b58e497750143e5f5c5831bbcdf808a2f531c3f29b4976bacdc9b7

memory/1744-22-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/212-23-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/212-24-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/212-25-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/212-27-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/212-28-0x0000000074F40000-0x00000000754F1000-memory.dmp

memory/212-29-0x0000000074F40000-0x00000000754F1000-memory.dmp