Malware Analysis Report

2024-11-16 13:10

Sample ID 240408-yf3e1sdc6v
Target 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba
SHA256 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba

Threat Level: Known bad

The file 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Deletes itself

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 19:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 19:44

Reported

2024-04-08 19:47

Platform

win7-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2480 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2480 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2480 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2480 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1580 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe
PID 1580 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe
PID 1580 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe
PID 1580 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe

"C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jc4u20th.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA111.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA100.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/1580-0-0x0000000074370000-0x000000007491B000-memory.dmp

memory/1580-1-0x0000000074370000-0x000000007491B000-memory.dmp

memory/1580-2-0x0000000000380000-0x00000000003C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jc4u20th.cmdline

MD5 ffbc924085d1899bed499150aaa2a904
SHA1 64b7f5c83321d07e8cf0d96d2c42900ec9269069
SHA256 72dc49d5e5c427239adc8755517352f1fc6e14c2178c30a1c56bd42fc1bc5769
SHA512 c9cf43ca349a784244dfc0969509e69d79abdd4d8206d42cbffb78e57b3ba986b5043d568184e9a1da561ba37fc04d72985192ba7a2641f5681fdc62012d6d9f

memory/2480-8-0x0000000000250000-0x0000000000290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jc4u20th.0.vb

MD5 4882f251bbcc6a181944aa6f8d58e076
SHA1 7e4527ca82249c37c7542e796a6066c4741e0a82
SHA256 0cd988fcefb3e745673aa11a762325cdfa990a3b8b820a4b12c0487afe58a75e
SHA512 dec5f8b4fc7e1b9cdc02294de83517ead9b5c7560a01125bf56571444827fea3edfd640972387a574bb5768b8b8c24e9f9f15df179c30512644a3b9094f9241b

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcA100.tmp

MD5 6a00cce1944f90427cc355bc410cf8ac
SHA1 24aabf1c957d08d99e51b839689e9b868f96ee2c
SHA256 1e74fc192037046a0bdd0928cf5f985650b2ef3a55a23e5a33ed9d9746f2dc91
SHA512 ebe47043aacbdc2ddddfffde75ee8f05dacfce9a4e6cac25b7e0b0819dc65d19e8f4c5668485c66feb766e3129a201e62f1e4d64d7caae97f6f636b3a1cad043

C:\Users\Admin\AppData\Local\Temp\RESA111.tmp

MD5 d098314cb303dc8da5ce342de7bd2b61
SHA1 8f4e38ce6fe1b6399d3e209d35f08f10c5ee7533
SHA256 5cca08c9630b1a9a434dc127b7d818f937d8b5be5cfb3a9083c343397883866c
SHA512 85a9bb3d565f3173258900e226085fe0708007af13bbd1563f9090aa61393014599f1283b59636a96e08d42c69ead422dfcdbfac6b0f6484d22e215c051e8cd4

C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe

MD5 a1e42933b9249d45f8564a9b7ece23ac
SHA1 cbd16019d4e0ad9d898f7b493bc7627f0687cb53
SHA256 be9692991ee5295bfe385bdde3bf650df783b9aa7f43e85ab5772fb55e8f52cf
SHA512 7374e144c8728ca36bf76fb093139ca1e61f4abcc3ea4874a42980f42f04a487bbf6c3e8853cd18676d641bba0d8503d0b03a027dde0612c7768884fb87cfe59

memory/2680-24-0x0000000074370000-0x000000007491B000-memory.dmp

memory/1580-23-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2680-25-0x0000000000B10000-0x0000000000B50000-memory.dmp

memory/2680-26-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2680-28-0x0000000000B10000-0x0000000000B50000-memory.dmp

memory/2680-29-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2680-30-0x0000000000B10000-0x0000000000B50000-memory.dmp

memory/2680-31-0x0000000000B10000-0x0000000000B50000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 19:44

Reported

2024-04-08 19:47

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 496 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 496 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 496 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1944 wrote to memory of 3712 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1944 wrote to memory of 3712 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1944 wrote to memory of 3712 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 496 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe
PID 496 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe
PID 496 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe

"C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tlgmbvvn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ABE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc97A72AB2B14E44218E6EE5323D9CFEDF.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
GB 13.105.221.15:443 tcp
US 34.67.9.172:80 bejnz.com tcp
GB 13.105.221.15:443 tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 tcp

Files

memory/496-0-0x0000000075070000-0x0000000075621000-memory.dmp

memory/496-1-0x0000000075070000-0x0000000075621000-memory.dmp

memory/496-2-0x0000000000B20000-0x0000000000B30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tlgmbvvn.cmdline

MD5 0b40a607d8594ca78dc1b33bed745035
SHA1 7919530129690fa7be1c2d7c2907cb68986ac9b7
SHA256 f8f61091357e484f9e3d73c3916d29dd27ebce3823a412f5572e56e862f566dc
SHA512 a5dd8e1e821acbc267637b6c9c43501590d111764587950a6f8b36eef369fb6bd63079658b76f3792a806ed33e95f68d3d8ba63f9179a4d6ff25bf837f2d09a8

memory/1944-8-0x00000000024D0000-0x00000000024E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tlgmbvvn.0.vb

MD5 21ad08b33ec0d979eef6dc27946c6b46
SHA1 b97bb14303d9fbdb0fc4209bca6d7aaa48f1a5d2
SHA256 fdfe5eae7cebfef2f84a8bf6ca416a6be6d4392b079f1ebe120f6e80987954df
SHA512 f6041c4b6677f177ec554aaded1aa9b6225088b6b51e27555982c68937643b3bc841b36ce101002ef961ce300bc8ffdb85c881cf8447159cf799f0a2090a15e1

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc97A72AB2B14E44218E6EE5323D9CFEDF.TMP

MD5 530998809fda3e5823264c4f2c2bea8d
SHA1 f325ebbc72e26a09a3c5776cd6aeee3a5c7e36fb
SHA256 0ec66fe7d64c9f355bd8de5a818e24f45b6cf66b7e6e206f8565670f378ca2ed
SHA512 e7d69de193c5a774dc38fb89d2afa44e5a266275c320d8e0fc8d80ea48f902a29f9ba612dbe928a9262ec70a08d0a0a07dee757b95b45a4f7aeee864ad7f4573

C:\Users\Admin\AppData\Local\Temp\RES7ABE.tmp

MD5 1b4e24b0423d285a49780b2d54e545fc
SHA1 9d7e9f97cab20e9783b2d6cffc5f7e9a2cfd2994
SHA256 ea53a778fa3faf7904e74ad719b5489795c114ea419c89a8df28e5bd7a205f9e
SHA512 81f3964363fcc267c3979996818b15f615ac214077cf49045f66044cb1853775f0e0e4a754dad46f36b89dce39e9946015f0316108cc44c3722954b05321301f

C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe

MD5 feb1f1d9d0192ebae986f941630cbb0e
SHA1 be7951231b94f24fc69958c7a4b496d35824a59b
SHA256 9a721c2c8cc049071b2f3322dd0cee8a9e3305baa310af1a27daef336caef36e
SHA512 ab5d5e2d9842b49b5412abce2ada2d55d7d92f891ae4ad4942a1c560af4ffaf75edc159def83e7c89909b3fa095aaaf90dd2072cfffda1abfbd987234a3048ef

memory/496-21-0x0000000075070000-0x0000000075621000-memory.dmp

memory/4036-22-0x0000000075070000-0x0000000075621000-memory.dmp

memory/4036-23-0x00000000013D0000-0x00000000013E0000-memory.dmp

memory/4036-24-0x0000000075070000-0x0000000075621000-memory.dmp

memory/4036-26-0x00000000013D0000-0x00000000013E0000-memory.dmp

memory/4036-27-0x0000000075070000-0x0000000075621000-memory.dmp

memory/4036-28-0x00000000013D0000-0x00000000013E0000-memory.dmp

memory/4036-29-0x00000000013D0000-0x00000000013E0000-memory.dmp