Malware Analysis Report

2024-11-16 13:10

Sample ID 240408-3pmhdafc74
Target 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63
SHA256 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63

Threat Level: Known bad

The file 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 23:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 23:41

Reported

2024-04-08 23:44

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2504 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2504 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2504 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1768 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1768 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1768 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1768 wrote to memory of 2128 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2504 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe
PID 2504 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe
PID 2504 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe
PID 2504 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe

"C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\snlrwylj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F69.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F68.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2504-0-0x00000000741B0000-0x000000007475B000-memory.dmp

memory/2504-1-0x00000000741B0000-0x000000007475B000-memory.dmp

memory/2504-2-0x00000000002A0000-0x00000000002E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\snlrwylj.cmdline

MD5 76b15d77139bb926f5633bec87d72240
SHA1 2156864d88a83d287fc77228a3f09026c1bf4253
SHA256 4ead162907d3172ddab5341498b02192d07b1a18e974dd0f433f5e326afa045f
SHA512 2dbe37773b987bd0fe2983b8c91ab594725db36bf6a0881d49bc9593086da0b56af9d1c7b040030d1e3a5b53b605206968e3f9601c8cd935221dc88cb3aab725

memory/1768-8-0x00000000005C0000-0x0000000000600000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\snlrwylj.0.vb

MD5 b25ad46db3cb1eb0bfebde35b0e8ef4a
SHA1 c22802af0094f454db2da6377c38f79751ef0eb8
SHA256 7e907b91274410fefce45067ceced5da38089f3795dcbbaa9cc0e9939a1913f0
SHA512 6ac1830b6fb9a39bf912d6064b2260b3f6c453975d4cba11ad9569d5305696666ae00444b89244f420c3990ed725f97f72b06212ffe21524068bd483a707918e

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\RES4F69.tmp

MD5 70bd931f50eea5ce95bea28cdc51118d
SHA1 13cb81f4a20709643458882c72ec87aa1749ac8b
SHA256 5b0f86b40034687e9810db1e8994ab896ddb9f453eb87ffd6a5c0c349cb53929
SHA512 e3cb6e54e2ab36972dc3f00499df5cba10de8f270cb4ec4cb0edfc937a2f2e535c8e664f67e8f119b37897736d2086c6407731254f4d1bc15d6221f96b692889

C:\Users\Admin\AppData\Local\Temp\vbc4F68.tmp

MD5 89f0789c01251e6b2c88551d61029199
SHA1 7bf90deedb964189e52f286d97078b82dc405de5
SHA256 dcbd2cf526cd4d09d990694f39935441db622ca97c741838eeb110e157189c58
SHA512 82173b2621ba03647f3ef173e9f7121ebfbe86cb00c7c4a0cec936f91a946b317c169ca2835a82f1231a255be433b93d5700c7a64931c16cc1e2e2af0ff736da

C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe

MD5 f1756d1f52f3ec3d699a2f29e6795fc2
SHA1 7358f0fdf06517d5aec6a36f5ed21fe0756d98ef
SHA256 9b5e567d9fa50fcf572d6cff7a6022b89496f05980f27534296fdec2484fe31d
SHA512 6c63285bdc9924b1d871dd614812e32500257d47b0b6d5242895e02abd638964de73ff69fe02f87b02e9c6578eb38e3b5feae099b657e75f5fed567284ca0850

memory/2504-23-0x00000000741B0000-0x000000007475B000-memory.dmp

memory/2628-24-0x00000000741B0000-0x000000007475B000-memory.dmp

memory/2628-25-0x0000000002040000-0x0000000002080000-memory.dmp

memory/2628-26-0x00000000741B0000-0x000000007475B000-memory.dmp

memory/2628-28-0x0000000002040000-0x0000000002080000-memory.dmp

memory/2628-30-0x0000000002040000-0x0000000002080000-memory.dmp

memory/2628-29-0x00000000741B0000-0x000000007475B000-memory.dmp

memory/2628-31-0x0000000002040000-0x0000000002080000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 23:41

Reported

2024-04-08 23:44

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4760 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4760 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4760 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1368 wrote to memory of 3600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1368 wrote to memory of 3600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1368 wrote to memory of 3600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4760 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe
PID 4760 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe
PID 4760 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe

"C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cyqy0our.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES561A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2DDD1E992346454CA33505975775733.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2732 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp

Files

memory/4760-0-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/4760-1-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/4760-2-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cyqy0our.cmdline

MD5 f8a0667906b45d2fbc5fd33fb519dd01
SHA1 e5d1602c62fba01637de9015e38f4ce55d047fde
SHA256 9284a13771d50275c304f907115c5a001193ecdbc2af0bd792c6350958ee4562
SHA512 d19db76d8bf746edd070a4344a2944bbcf552e5e98f21a2f442c63abc121a8c0a2b3788c2302ac74613b42ba4cb275032a72de2daf36c92b05553abf4edfe35a

memory/4760-8-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/1368-9-0x00000000022B0000-0x00000000022C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cyqy0our.0.vb

MD5 e394a089d80d7505e9d3d9cb1d31f41a
SHA1 9cc39f2244a4220f45303b341b53a2f48436d3d8
SHA256 785508e544ff271aa897b9bc59e49295a621382303c7137097ca2574b0e655ff
SHA512 4c3d4cf22d189ca854118dad6a8c1f898d81a53ded79a24679e4c8cf27e1abf03965c1245e29f9c7dcdf9a077f6e69173bbdda6c3d72c4355cb995cf834ef4aa

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc2DDD1E992346454CA33505975775733.TMP

MD5 1c431e049b7a49bff3b6557d3042b9b7
SHA1 6cb8a1fa6d78ddfc45d99a215745a7799f0251d0
SHA256 3764524d8e0eb1698dc71f8fa03da456cad42f664fd665d77f5126361850d4d5
SHA512 2ceb1eedcbaf1868c6320b9ca1ae5e2e6d90512c42fb09a888eae68c85bb2f4f71b0758f9417f6e38cc2b3e73db410af3007f9a33324e0d8afdc09957a7bd8c1

C:\Users\Admin\AppData\Local\Temp\RES561A.tmp

MD5 23aba11312fc64602fae1b3d9449bce3
SHA1 702f838be4fabe8dedf7f0a085c806a4409d89b3
SHA256 1095943d15ed190532f3d1ecd2a3de4772327e6f50bc775e1c8b6bf84be6a491
SHA512 1089f7eb187f71f1f89e4b46e5655178a31fe550c8f11fc7f212fabbd3afef701c46932a0d8c2ad8b62e149dc53ad8536c8a3e6147678af6a654ed6c5475fc37

C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe

MD5 baadfec4ac42a4b70900b8f795b4bced
SHA1 88da7a0fc8e9af20f1acb28df042415e3cb33c1c
SHA256 44127b1cee3e8eb74a8b8dcd870066208697848cd64ea7461c2a9ad25fa158f1
SHA512 f75d8fcd815010b55a585c7e658e6ef966f8b77bb6420c8de890a20a2e9fa8d3cf1445621ced00e637bf8dbc03a2ec52c035e57839e7fc2fe48a30af8906dc3a

memory/4760-21-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/4760-22-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

memory/3184-24-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/4760-25-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/3184-26-0x0000000001820000-0x0000000001830000-memory.dmp

memory/3184-27-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/3184-29-0x0000000001820000-0x0000000001830000-memory.dmp

memory/3184-30-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/3184-31-0x0000000001820000-0x0000000001830000-memory.dmp

memory/3184-32-0x0000000001820000-0x0000000001830000-memory.dmp