Malware Analysis Report

2024-11-16 13:10

Sample ID 240408-c6e7hsee2z
Target ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112
SHA256 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112

Threat Level: Known bad

The file ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Uses the VBS compiler for execution

Executes dropped EXE

Checks computer location settings

Deletes itself

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 02:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 02:41

Reported

2024-04-08 02:43

Platform

win7-20240221-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2696 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2696 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2696 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1064 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1064 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1064 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1064 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2696 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe
PID 2696 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe
PID 2696 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe
PID 2696 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe

"C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fuepdtov.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81CD.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 tcp

Files

memory/2696-0-0x0000000074C60000-0x000000007520B000-memory.dmp

memory/2696-1-0x0000000074C60000-0x000000007520B000-memory.dmp

memory/2696-2-0x0000000000BE0000-0x0000000000C20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fuepdtov.cmdline

MD5 32a2677dfdf86ecc840975601779e766
SHA1 c0ba7c4adbdadb98dd8c70b1fdba4c1f56ae469f
SHA256 e1c26f9852826a185d43e94e5d0546d0fa430e9dc00f65bde7f828cc62fbf4a6
SHA512 9e147e1d81b54c44892951f72a5d994ecb4bbf0ce4a559574cab6a90459a5bf8581f3e0dcc7c3041fa4f6d6fc449593a6e5089eb0c6949798b7992a783eb386c

C:\Users\Admin\AppData\Local\Temp\fuepdtov.0.vb

MD5 79b5b6d672154e1450b4db60a4672184
SHA1 f8aa8c4e8bf66a606209e3f3e5ab49d8b71006c8
SHA256 0304b8ebaa092a4c3b27d3d2be722a0303a3c9cd47caad5610d8e68263c7e366
SHA512 ae584778cd07980f138ced540aefee88ddd34da51f4a82960e670f18a824b143a1500cca10770ff4b6a2f26a9a404023e80fe6b0dcd15e255794b99e08af443f

C:\Users\Admin\AppData\Local\Temp\RES81DE.tmp

MD5 717d0a30ccdbba5d3df8a1df2e21914d
SHA1 cbb3760c47177e9750305aae9404f59401cc566d
SHA256 bf9fa2d008293b203ac1aba8245ffbf07e8814dab22ade351750e4bc044c9a52
SHA512 a42792f01ad282a29eb0d83630cba37d6e40f26a76ff3ed180af3ff62b0e66c4664f7e914a3441e3daef6d422dfb6b92f0a9e5bf306853c6cf924c0f9d080f41

C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe

MD5 b6d31ff51431e4bfcc4177ce86b604d2
SHA1 35808580a822fbfeda24aea22b96ac9c70e65076
SHA256 1d1450fb6db1486162aaa4ff90c54f494faefa6004a43eb0493253b39db8435c
SHA512 cdbade17d3d825100bf2df816c500c12a38ea1cb02d6afe698a1c3eee4baa68d74774fa02b76199239b53acd2057a7516b365357ecd7866c87f84abb63b261be

C:\Users\Admin\AppData\Local\Temp\vbc81CD.tmp

MD5 52f1bb85fb9a39b519bb8ec2ffd67f3a
SHA1 32fbe5535619376a2829ad068bbdee1202578130
SHA256 dc7c5f2aa79f38d2729ed58a52cbe71a0ad6948cc0232a495f59484607ff9423
SHA512 54fd7c4f170e08812204d15a85778b25784ca24d064fcea0685b99fe46c76bffd42a07c65b6f68631d0595af36c1231c1105832482715bcff8340a34944a87e9

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

memory/2648-22-0x0000000074C60000-0x000000007520B000-memory.dmp

memory/2696-24-0x0000000074C60000-0x000000007520B000-memory.dmp

memory/2648-23-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/2648-26-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/2648-28-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/2648-27-0x0000000074C60000-0x000000007520B000-memory.dmp

memory/2648-29-0x00000000005D0000-0x0000000000610000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 02:41

Reported

2024-04-08 02:43

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3300 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3300 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3300 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4856 wrote to memory of 3828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4856 wrote to memory of 3828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4856 wrote to memory of 3828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3300 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe
PID 3300 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe
PID 3300 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe

"C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wa1znmbw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcADF8DC2A6F2A49C7A5B59E64137EC06C.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/3300-0-0x0000000074D90000-0x0000000075341000-memory.dmp

memory/3300-1-0x0000000001500000-0x0000000001510000-memory.dmp

memory/3300-2-0x0000000074D90000-0x0000000075341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wa1znmbw.cmdline

MD5 e6bdafb5f360c40bb39ac1f7f13b9124
SHA1 6cd21ca3095638ac5381ed8fe92fe02a65bb5a4a
SHA256 aeacb0d255655f6b39f581f9f6d0847bcea313090c12fedde2ccad553f1f1dcc
SHA512 c61516aee149ebc85372f970c5a28a05542df0a5ea69fe36b0d5600217e94e1ca632c0121a9e64ad2dff3ad6742b2b7763c768afd7f20b68f14d0211457e2e56

C:\Users\Admin\AppData\Local\Temp\wa1znmbw.0.vb

MD5 5e342cc6a2729e2ccb429bf04b5f4d3c
SHA1 3bd17cb51dc49fa9f49a3400f99e9766ef7d67b0
SHA256 c76145c34253f20dde0a857b77dc3b44069b128d1ef388cb3c38e2c3119e21d8
SHA512 f049598a2e2f20ef5417f48b0ce6377c5cc2d54eafeed42f25affeb3400ccf80d8f1b53ec433ea313519b175745f307ce5e5e1499e1408e64b410f61d26bc1e1

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\RES4F39.tmp

MD5 5797188c9b75a9156bc8ded36c2163e7
SHA1 d2f06579257704ccfa11e2ee17a3f27bb111fc83
SHA256 503c0c0421c3ab5714761e47815445816c31b50eaf67a206faca7e8170e33981
SHA512 b60dd9481acd6f658b14a5310a84265e30895b6021b1e8a59fa4f41d3a2ebd6f02f0b268f68f169c31f2bfd53e7019123434267bf1f55c8d027a7d16df5da77f

C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe

MD5 aa41afc84b2712d9c4e4a57a816a19b4
SHA1 4ef580be52d97072248f8f038cc090350cb7c40b
SHA256 fc494c1e00e049dd780b309109e5e8c243d81bc9e6bd55bd3e08bcdcf6b2c635
SHA512 dc1506cc64c02fba50d76f85227b7a785b71a9786a20142a7a6004990439fc4034879301363bea795a37ddc897c3fa6b43e61df97df501e73c71d7e22f913a80

C:\Users\Admin\AppData\Local\Temp\vbcADF8DC2A6F2A49C7A5B59E64137EC06C.TMP

MD5 92ebc7f2cee7986f4b2df2295c82f733
SHA1 05dd064f45d8e27566d1394196b5637a78c243ad
SHA256 8427d850f97b8e7451757060dc22118a8fd3b9b2d44ca5d9e63fc066ad014db4
SHA512 807194f57539fa38862383e4c06424c03c1b925848ab16850f8452435d08ac0011e296275d8227335b47ab701b711f378904350bee55619c2f7d29eb0f7aca37

memory/3300-20-0x0000000074D90000-0x0000000075341000-memory.dmp

memory/2056-21-0x0000000074D90000-0x0000000075341000-memory.dmp

memory/2056-22-0x0000000001680000-0x0000000001690000-memory.dmp

memory/2056-23-0x0000000074D90000-0x0000000075341000-memory.dmp

memory/2056-25-0x0000000001680000-0x0000000001690000-memory.dmp

memory/2056-26-0x0000000074D90000-0x0000000075341000-memory.dmp

memory/2056-27-0x0000000001680000-0x0000000001690000-memory.dmp

memory/2056-28-0x0000000001680000-0x0000000001690000-memory.dmp