Malware Analysis Report

2024-11-16 13:10

Sample ID 240408-dqasjafb7v
Target fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db
SHA256 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db

Threat Level: Known bad

The file fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Deletes itself

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 03:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 03:12

Reported

2024-04-08 03:14

Platform

win7-20240221-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 856 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 856 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 856 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 856 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2508 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2508 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2508 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2508 wrote to memory of 2912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 856 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe
PID 856 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe
PID 856 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe
PID 856 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe

"C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2fo__eb7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9454.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9453.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2636-26-0x0000000074190000-0x000000007473B000-memory.dmp

memory/2636-25-0x0000000002050000-0x0000000002090000-memory.dmp

memory/2636-24-0x0000000074190000-0x000000007473B000-memory.dmp

memory/856-23-0x0000000074190000-0x000000007473B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe

MD5 1d9c77d40fdad280a06821cd6d89b336
SHA1 984f0e5968f1da02ff124579b6c5a7b5ece8cbff
SHA256 3cf3bd0021c68396582feceba81cf4cffc35f25842121de871d304d064e66d0a
SHA512 990ef42296e7f56c5e5e1604b17aa2611ec7024dedee05624c5a7bcbbc97408ff8f76cd5310bf81885f92e4f5300cd7dc615cbeeeee7c5c115380caeb2978675

C:\Users\Admin\AppData\Local\Temp\RES9454.tmp

MD5 8b18281ee869d9a2ee30388774a4c1cb
SHA1 431a923842c5033d623acae464bc82c7446c8827
SHA256 1b1765cd97640b153d6e84da099590bf3fa0cfc935fe381c2f62227d17ad926a
SHA512 9d9c3ef9e8aaae5e25614b4518a524ed964d755b203343169824b3b223a21d73ad2e5c535ad17b8fb846edef1a3caa9cde0912a679fe933fa48dc8871cdb90ee

C:\Users\Admin\AppData\Local\Temp\vbc9453.tmp

MD5 4a4246ee5538f052ca962eb851d78622
SHA1 148f26367ac2930535b0d8b9df51040a53b37a68
SHA256 f2ed1edf2352c0a88f887cf0e8be8ebc08842907d31c51577fc9fa39cb097643
SHA512 7f37a6368884000041142c5d423cd7bd35cce969ff579dc8fd61f7331ecd2a8a191b4155b1952aed51736eda5a85452dff1e64a3bf94099b77d1bdbe24583efb

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\2fo__eb7.0.vb

MD5 8bab61380e4ab59b1484a59c5a29e874
SHA1 dddaf29217a1ef6ac4f18dbbe98b0abf862a902c
SHA256 5a89bdf0c671bfec7a91e57512f9189064aee1498a1975a95e7e3d0456c10cbd
SHA512 ff2216c0d23c26061742941c742e93cdeebacd0d15dacf1e29427fdf33412512eafc6b6a3c36bbac9550344c55a2994398a7dcfc09d0461252dda8155655641f

memory/2508-8-0x0000000001F10000-0x0000000001F50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2fo__eb7.cmdline

MD5 349e51c1505c6a4bd1dd4196b1988838
SHA1 1381f2c42c9da7dee7c1588940f8b58aa6b69c52
SHA256 5d07d31697e61f061d1aa58750ef1d5434cdce7b9b89ff064174a8a2bc27dc2f
SHA512 058dd6c2374d84255d2a789b765a48b2350ca2e0e3d85913cfac060ef2303e3d4ebf24a771240a95bd92868040d41de2d17e8d5c3124323027976d77913e632b

memory/856-2-0x0000000000450000-0x0000000000490000-memory.dmp

memory/856-1-0x0000000074190000-0x000000007473B000-memory.dmp

memory/856-0-0x0000000074190000-0x000000007473B000-memory.dmp

memory/2636-28-0x0000000002050000-0x0000000002090000-memory.dmp

memory/2636-29-0x0000000074190000-0x000000007473B000-memory.dmp

memory/2636-30-0x0000000002050000-0x0000000002090000-memory.dmp

memory/2636-31-0x0000000002050000-0x0000000002090000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 03:12

Reported

2024-04-08 03:14

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3764 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3764 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3764 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4676 wrote to memory of 4220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4676 wrote to memory of 4220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4676 wrote to memory of 4220 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3764 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe
PID 3764 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe
PID 3764 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe

"C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w3pe7kc4.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F540C4932254764A496F38B5B5198B7.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/3764-0-0x00000000755A0000-0x0000000075B51000-memory.dmp

memory/3764-1-0x0000000000F30000-0x0000000000F40000-memory.dmp

memory/3764-2-0x00000000755A0000-0x0000000075B51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\w3pe7kc4.cmdline

MD5 ecfab649c8416ca57297ecaa497ecdd3
SHA1 748872a07e979b1f9c11db66c6cd653dd377d783
SHA256 6188615cb58749d9d6634e79618920eece78d7591f555a7257860f7cc6a24a56
SHA512 c0487e9002721430a7e0de08324a2847a7a4f8e654ad612eaa0a3595a56730b8382ebe0a17d695052d92566b22814db8fa93c469808f1d6abef3d2390831ba1e

memory/4676-8-0x0000000002420000-0x0000000002430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\w3pe7kc4.0.vb

MD5 cca9fb6a7814f07fdbf228d7f564e895
SHA1 f6858d91dc87c20413685ce8ef9db3ac84b871ec
SHA256 e97e22435834aca159d8f263d4aa7612202bde89e156e5ea631e4970ce519b80
SHA512 d60da3d22f2f6735948beca31a9977793dc8d75103b1b9c895a365e38b9801beaf466bd4f50818737c70a93ca389c1c085bad3b4b71456bec667a7b418af7232

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc8F540C4932254764A496F38B5B5198B7.TMP

MD5 8fcdd42e4fedc199a26cd5cb1374c894
SHA1 16e2cc33c6f3938cde965d221deddc0eec021926
SHA256 7bbb1e3c0f3b8226024e0c45c34678c1cedd306eee0801a18783657508470c69
SHA512 817c57f2c9df84033aa714874a3fea789e7d8cd6fe0d4aa822bd04b636ae0959bc2851097e642d50705a877284d220412a4a5243cd758b16ca27d3bd11d6ba8b

C:\Users\Admin\AppData\Local\Temp\RES3A59.tmp

MD5 8af09354e776af0e3c53d16d9cc7926b
SHA1 29f8693d0a76f3bf9e5b72bb70152dd9830dbd4f
SHA256 2a82a86341171f3a4b40b06c21189e2aed8dbffbcef8bf74a827316735499571
SHA512 d6658ce0bb8363182a15f39300af1b5a290a4324b005af347c091fa3cb2fe604176fbd7e261befcce749e065c443070e39caeb66d19f3a35aa087344d22c5d1e

C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe

MD5 1fa2c8132ab2596c6814394efe72603f
SHA1 a4f1dcfac6412e7f9134ff5ad32f84ec67a0a2ef
SHA256 3520650f2c2d7d8c923a8ecca2f0e1aede664aa2eb37f05b510ab08dd2c6b256
SHA512 7be354052a23de0286dc72d66d3e833fa552f0669607046fc72ce30f64a2449a6e9e9c1bd63139c24625b8936f13f91ff82fb188733528ad4b329c1b58ddb122

memory/3764-21-0x00000000755A0000-0x0000000075B51000-memory.dmp

memory/628-22-0x00000000755A0000-0x0000000075B51000-memory.dmp

memory/628-23-0x00000000755A0000-0x0000000075B51000-memory.dmp

memory/628-25-0x0000000001AC0000-0x0000000001AD0000-memory.dmp

memory/628-26-0x00000000755A0000-0x0000000075B51000-memory.dmp

memory/628-27-0x0000000001AC0000-0x0000000001AD0000-memory.dmp

memory/628-28-0x0000000001AC0000-0x0000000001AD0000-memory.dmp