Malware Analysis Report

2024-11-16 13:11

Sample ID 240408-drpyvafc62
Target fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769
SHA256 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769
Tags
persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769

Threat Level: Known bad

The file fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769 was found to be: Known bad.

Malicious Activity Summary

persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 03:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 03:14

Reported

2024-04-08 03:17

Platform

win7-20240215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2080 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2080 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2080 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2080 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1940 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe
PID 1940 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe
PID 1940 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe
PID 1940 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe

"C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tyuihv_p.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB18.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/1940-0-0x0000000074B70000-0x000000007511B000-memory.dmp

memory/1940-1-0x0000000000C20000-0x0000000000C60000-memory.dmp

memory/1940-2-0x0000000074B70000-0x000000007511B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tyuihv_p.cmdline

MD5 8ff46869f21bf6c1ebc69473e0c96ff3
SHA1 60661446f918c0aaae207af687f4c8d2d84eb435
SHA256 d4fc687a2c915764beb89440acef5c446fa0738bf934d439eab6a8586a84e5d2
SHA512 d07790c382193e5675e3ace85c26ed0666266079af033edfde4c2bbd300446cdec61367756b54062c90af662c167d9e90fc2569c344dc2d92ac2ca55f0156e41

C:\Users\Admin\AppData\Local\Temp\tyuihv_p.0.vb

MD5 248b4d232330d666dfaceac3247a5a7b
SHA1 175f1e58d1579662501c34bc0e1d4b100808e0a6
SHA256 db3bd0e0a9ddf9b61ff5a91e35239dfa6c8e58b85b9d20a7b34a0b05ea0e7ab7
SHA512 56e9337fe91dcccc0e5fa223d9085504b0f2df166aa06d3e6202240bf72c6f5a5831fa03ecee4beba48b1185b8fc8bb7a2a9596266c37cef96b3759ae61f4e90

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcB18.tmp

MD5 9481288a162efdcdc652eafb5386d82f
SHA1 4d39808b589ae7916263e8806111a76c2c27db9c
SHA256 b727259aba1b573e974ec564a4360a0892c3a336be9dcdb7dc78206f0f60f54b
SHA512 2f6be049267886f1a2321447500392e8182e7b8de0f09b7b0c44ef0022f010857eed40c935e818258924c101b67ca075376287eddeee43ee9362524159a340ea

C:\Users\Admin\AppData\Local\Temp\RESB19.tmp

MD5 d28241c13f5aa20a570794010e817478
SHA1 438177627f8d6a68a607ecbab0edd1a2c35177df
SHA256 2437f5d812a4580924c62d5558e5712d21d8e512ead21f40d557a176a7226311
SHA512 218915808338621ed495c7a1ad8a3b9c11beab4037840891dd3965c009200410d959fd8c04b0e9b8931f4fa0ca0ccb5bcba49217e573c23851029f270973addb

C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe

MD5 6975fbefbb40f2e023285a0cdb9438fd
SHA1 ec31f9608283a6b455a237c17b99cb173eeefde4
SHA256 9433d7e543bb577a2b432fe120d20c6444fd74ce5383a30075674a0b48d65d88
SHA512 23c30678c3c8721a0f0505dc83ed41df387b0ce308c4bc3f631fe6259f159b28fd72bd45ca8c5b44b4d479879cefaad9684e74f4d2bb7b185be407ddf89dfb15

memory/1940-22-0x0000000074B70000-0x000000007511B000-memory.dmp

memory/2564-24-0x0000000001CE0000-0x0000000001D20000-memory.dmp

memory/2564-25-0x0000000074B70000-0x000000007511B000-memory.dmp

memory/2564-23-0x0000000074B70000-0x000000007511B000-memory.dmp

memory/2564-27-0x0000000001CE0000-0x0000000001D20000-memory.dmp

memory/2564-29-0x0000000001CE0000-0x0000000001D20000-memory.dmp

memory/2564-28-0x0000000074B70000-0x000000007511B000-memory.dmp

memory/2564-30-0x0000000001CE0000-0x0000000001D20000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 03:14

Reported

2024-04-08 03:17

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 464 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 464 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 464 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4068 wrote to memory of 728 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4068 wrote to memory of 728 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4068 wrote to memory of 728 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 464 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe
PID 464 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe
PID 464 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe

"C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cxik4jzp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD69D71365A734D508DA3E5CE2D12915C.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/464-0-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/464-1-0x0000000000970000-0x0000000000980000-memory.dmp

memory/464-2-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/4068-8-0x0000000000A00000-0x0000000000A10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cxik4jzp.cmdline

MD5 0aa963368e6ebc07851ee040868530b8
SHA1 62c1d10115b739112e3551b5d9a0fa734c9cd3a1
SHA256 d4fa3667568875d954bc546e2670cbf56ce3719f01bebd8d9a1b68cb2e9f98a0
SHA512 b9fde02e3d11173f63ba01c9a0ca2ba5befefbcae39428ce81aab2db06cf4120f14644e856f5f61456147a7f87898eb9b578188589782c09c00df8ccc178b916

C:\Users\Admin\AppData\Local\Temp\cxik4jzp.0.vb

MD5 65ba14eea4e71b093e3804a4c17ed5ff
SHA1 c2707e937b0e928aece14b5ddbfe1120c6ccb5af
SHA256 b92d5f444e41cab9aa1db5733a237c2fd1c6e1387494dbad3c32a3290e3d66c5
SHA512 f66dfac01e9029ca3a6cb56148722fb10bd6d61e510bdfdebdf4ca388f406e1982594c227fbf2b777a1bd6ed7de04b5798a84866595f65a0f98cdd2ca824dd64

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcD69D71365A734D508DA3E5CE2D12915C.TMP

MD5 c45257f0e9eea6a8651954a84d56cc6f
SHA1 5dcbb71468adb298731ee8cba5dc4a50d2f30fca
SHA256 9f0e977e0d59d4999a47e8a548da50a9fe4b9bd95db773b94cf18b7975ff959c
SHA512 5d08d007c294640edeb405da7a1ae58d30660201877d933f8e1078121fc6a52aab293bfc356b68aeb361ff697984cf0c9a4ece92f1824efbc025587e10df1a1e

C:\Users\Admin\AppData\Local\Temp\RES41DB.tmp

MD5 0a26835146ee13393907f34ad070e4ca
SHA1 d3c1f13f82be4530e1e70d48e35188559a46632a
SHA256 bd4db0db9b8f4fa5440ac67256219a976a7fa2ec352f0ae2adeb85a8f00ddc46
SHA512 c0ceff09e3e07c7511e1015fbe58524d036972d5484b2b2957e240d490ba0ee3733ec4dc6908bc13a347e58682901704fe41756bbcc4719cad3f04f8881152ec

C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe

MD5 386c508e2bae09dfe6099dea25bff727
SHA1 bdd54683528bdd16c083a92fa9f68df8791c05be
SHA256 fb5c7b286eb03602cd56aa2093799df9e1d31c35e88f0b6004e1295c34c6cabb
SHA512 cc6b939aa79d144092124257f418a70973c20a2549f0528f580170dc9ca5edfa9b5a15af22a10c00558e9bc9954aee9c46e6329e456b808f1649cf687a1dd6b8

memory/464-21-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/1200-22-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/1200-23-0x0000000000EF0000-0x0000000000F00000-memory.dmp

memory/1200-24-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/1200-26-0x0000000000EF0000-0x0000000000F00000-memory.dmp

memory/1200-27-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/1200-28-0x0000000000EF0000-0x0000000000F00000-memory.dmp

memory/1200-29-0x0000000000EF0000-0x0000000000F00000-memory.dmp