Malware Analysis Report

2024-11-16 13:10

Sample ID 240408-3gtxgsad41
Target 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310
SHA256 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310

Threat Level: Known bad

The file 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 23:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 23:29

Reported

2024-04-08 23:32

Platform

win7-20240215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2416 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2416 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2416 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2204 wrote to memory of 2544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2204 wrote to memory of 2544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2204 wrote to memory of 2544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2204 wrote to memory of 2544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2416 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe
PID 2416 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe
PID 2416 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe
PID 2416 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe

"C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wm30nljz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1759.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1758.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 tcp

Files

memory/2416-0-0x0000000074CF0000-0x000000007529B000-memory.dmp

memory/2416-1-0x00000000005B0000-0x00000000005F0000-memory.dmp

memory/2416-3-0x0000000074CF0000-0x000000007529B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wm30nljz.cmdline

MD5 99a622662b1cfe8c1002479375971d71
SHA1 d9a3ecc4e364fadc0d3d3aea57d5276458332082
SHA256 c738a6686846b8c627d66d8e32caea192b5fec7fa7899fd1cd850b3f43b07def
SHA512 417fd7e2f1fd7251d000e2844a44c557ca3c59331aba2d47ebe4edc2d77ca3c9e881aa631bcd15587700d9ac84b4c05a4e8a65c2ea9a2b340ac9efbed97da8e3

C:\Users\Admin\AppData\Local\Temp\wm30nljz.0.vb

MD5 e19ecf2aa032a20a207189e2ca5d4a8f
SHA1 a55b2ffb1da69421594ef08d73d8628686f7f485
SHA256 6b4d29f60ce521b3162f9200e8a496ea7c532a9362526e2c449364c804eb41e5
SHA512 6318608daa8ecb776f00659ece9e23cc77f51d6698955f1afa6472fc82465d17cceadf3932aa45717b27752142d1e7de74ad83a5a00e0a65f46c3f049c9bda43

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\RES1759.tmp

MD5 5d1545a2c62b5a5da368536ba7af2ec7
SHA1 348feea04d4d4a2434ed57b69556fab6bd53ee0a
SHA256 e3a377b2a26ede7f8105309a80b314d123f47731c7bfcb397538904ffe698e11
SHA512 10bace610c613e0ba71d8531972a1e320a6c26798efbf96e0ecf7fbd53172cefcb685ff81c59e2cbc34ec25b7f32e6c7364048634043993bd4875fef0ce08ea4

C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe

MD5 620bc88976324a4797749d0c514719ca
SHA1 7742437f4f46fe099d6c88d8357be327e965411a
SHA256 3679fd60c4cbcd98ec52fea56668295019091d922086554df57c7cd3eb5cdeb1
SHA512 e07dbaab2d164da1cee95980188ad1db61774df6080736e16cf6045c9482532ee8fdd86688d986e2d9286d0c0117b4759b815188c7bdbebb8fdfb133d9d0c5b1

C:\Users\Admin\AppData\Local\Temp\vbc1758.tmp

MD5 5450dafdd83262b5aa7463021e209498
SHA1 d52fe4e1db8dd050356c6a2a7ce4dda39dd60b7c
SHA256 2846e8a62a4494c63a50fa475a0d92c0665b8a832f9c3f1ac0cd7bfa42a5aae8
SHA512 cff88ab69a113e2775bc084c0942c47807d1781a2da0cbd4ff08e9d8c29a4c2c71aef7a709daf88f209a8bb88858936216c30145e60c9672f179a4f3068831c0

memory/2416-23-0x0000000074CF0000-0x000000007529B000-memory.dmp

memory/2556-22-0x0000000074CF0000-0x000000007529B000-memory.dmp

memory/2556-24-0x00000000023C0000-0x0000000002400000-memory.dmp

memory/2556-25-0x0000000074CF0000-0x000000007529B000-memory.dmp

memory/2556-27-0x00000000023C0000-0x0000000002400000-memory.dmp

memory/2556-28-0x0000000074CF0000-0x000000007529B000-memory.dmp

memory/2556-29-0x00000000023C0000-0x0000000002400000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 23:29

Reported

2024-04-08 23:32

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2928 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2928 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 868 wrote to memory of 1652 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 868 wrote to memory of 1652 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 868 wrote to memory of 1652 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2928 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe
PID 2928 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe
PID 2928 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe

"C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3fnb4f1j.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES417D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc707C5DB43C8D436793BBAA474F365DE5.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2928-0-0x0000000075040000-0x00000000755F1000-memory.dmp

memory/2928-1-0x00000000015F0000-0x0000000001600000-memory.dmp

memory/2928-2-0x0000000075040000-0x00000000755F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3fnb4f1j.cmdline

MD5 d701f6483e913122331c112b0ebcb3b1
SHA1 ea2df6958a0fbb2c9a29de0c98180495a86cb2b1
SHA256 84a652b615a2fad19ec18357520f2fe246ccbad23e20b6356de7e9524c5a9173
SHA512 b0497201010b9f11e395049f552e92bd07acd61a40e8f13b895c91a8ac7a9d8dd835a50295e5e7e18645c9742ed8a014a9f364e76c38cf0830f55cae8d3e8593

C:\Users\Admin\AppData\Local\Temp\3fnb4f1j.0.vb

MD5 daf690c9d79c8f7ad46244d687ed7da5
SHA1 8c2d7b026bea2cdd8cf363003dc89e14a559dc28
SHA256 ba5be369e1c903d87402cb22cae86f6c3fe0cfcd306bcd6935e3ff9a0bf0ede9
SHA512 c0532cf862b3b37ae23c6228df9f2b490a7b58c109e76896937809bdc560c3e34c2aeeef0ba708ceb0a0b4b44653032f3befa2cb6a5d7a8ee8ac415a3c39af3f

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc707C5DB43C8D436793BBAA474F365DE5.TMP

MD5 ff15d2f04bc5d6b3508bca68df2a20d4
SHA1 9b8f7547e6af9af8f3ea40905e814fd5278d4f03
SHA256 197c9e3be1e1250262e240b4f032b05121b32ac6881ce3e9b7828bb9c11f7bff
SHA512 fd04cf3614fdf73d1c491a4781799301be21aed9772ffa411fd6103320e6b197bb9a9c24f6dd1cba921c3cf33e3fbc9db26716569140b6d79126cda288cd831e

C:\Users\Admin\AppData\Local\Temp\RES417D.tmp

MD5 51a2dcba163ba84415aa8274fc5442f6
SHA1 478d99ed235f2f768246952e0165335b967a6836
SHA256 4922e9d3f3ee4fd5550f3f44098c603d97cb7e5a85628655e664c256bed09c76
SHA512 d5cf636a34f5804ed70d12f3b285c82cd50ecc196814998e5871d231fc62e689da9d28f6eb94ed9ff6fd36efcbfd554dcd206f7c6fa151fe163ec25a87ea97f3

C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe

MD5 053a44b4297ea526c2f5ddcfafd56507
SHA1 216572a94bc18018f8a9c6e8a92798c090d5c7f4
SHA256 85ee768f1b1cceedeb5bb403623866697166eefbecd41e7ad1cf138dec2e5c09
SHA512 f2909dcde84d4fc9baa6cb4ab53f97219bc60e84b4d2606a1a69ecd78f08f0a72f15760f3e77e1bf1e6c24ff6fe431f941980d8f609d34c800b96962bfc01fc5

memory/2928-20-0x0000000075040000-0x00000000755F1000-memory.dmp

memory/1596-21-0x0000000075040000-0x00000000755F1000-memory.dmp

memory/1596-22-0x0000000075040000-0x00000000755F1000-memory.dmp

memory/1596-24-0x00000000003B0000-0x00000000003C0000-memory.dmp

memory/1596-25-0x0000000075040000-0x00000000755F1000-memory.dmp

memory/1596-26-0x00000000003B0000-0x00000000003C0000-memory.dmp

memory/1596-27-0x00000000003B0000-0x00000000003C0000-memory.dmp