Malware Analysis Report

2024-11-16 13:10

Sample ID 240408-ywhqjsae79
Target 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18
SHA256 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18

Threat Level: Known bad

The file 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Deletes itself

Uses the VBS compiler for execution

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 20:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 20:08

Reported

2024-04-08 20:10

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2008 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2008 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2008 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2832 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2832 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2832 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2832 wrote to memory of 2556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2008 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe
PID 2008 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe
PID 2008 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe
PID 2008 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe

"C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vojdtnur.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3351.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3340.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe" C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 tcp

Files

memory/2008-0-0x0000000074F30000-0x00000000754DB000-memory.dmp

memory/2008-1-0x0000000074F30000-0x00000000754DB000-memory.dmp

memory/2008-2-0x00000000020F0000-0x0000000002130000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vojdtnur.cmdline

MD5 410b83482bbd54d29bbd30eba547e388
SHA1 d2ee6d0fd7e11a66d8a75646a09dbb91a2515210
SHA256 3bb8cad2ad03318f100b1ec43c6d8df0f96e7c7aaee0e375691f0a04a3fdcf97
SHA512 3fd792cde8828cbb1ae2c83558f684c35692d6760e8b71924b4cbe48d1da69dba0152301d30b39d3250889ff7705a7841af3fd412ac9fced8dbe508447bc61df

C:\Users\Admin\AppData\Local\Temp\vojdtnur.0.vb

MD5 f0fae78ccf2fa6923a613bf020520ba2
SHA1 1c27a04d86cae75a9239fc3a46579522143b6792
SHA256 30f501fac01add54e69871e883b26937f52c00492f4f2e4b58ebab6436623881
SHA512 09e4b0c35957f681b5d88a8fe9c0a2b307d34dad5968059fce466fee906d8d52e0f4841d27a355f76ff6b6957380cb25d49d744e274636b1a84ed267f774a88a

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc3340.tmp

MD5 182daf1b1d61eb3f033438814172abaf
SHA1 a660af96402bbc0450dfc913cf02c44dd1ce04d7
SHA256 d4bbec9c2631b2ff77d29a5dad35bb13e851d35a952181edbd65ce985ac9d606
SHA512 1d68a9f9b4912922e6b32fbf5cb6b1a2b0ee7eacbc227d79e993d1a1d6486eae05f67cc58db6d84935d0c83b4669b8810b108b53f788d55fb001c103bcb9e5b0

C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe

MD5 80899339ebf57364549979876d43afa5
SHA1 98f0f82a6e108545844d909a70d6cf823aae8f8b
SHA256 a81eab654c2ce292b7c0a1c82b62f3b627bccd8a6b212165d5e13371c98da1dc
SHA512 acaf398a3785325c98d530de22102bf409f088809218f1d4f6712a2998f73dce9a255427c89f9bf7c47c56b0f33dd0580da66ae3318c023dee06cc1ef9866bce

C:\Users\Admin\AppData\Local\Temp\RES3351.tmp

MD5 bc1e08e2155a42fc9b2ba081ae63f259
SHA1 d524912f7076513647bd0d1b04f5de51440675b4
SHA256 87f713eab99b52824bea8e1592819eec8b208dabbe081d1a8b46b3ae12010092
SHA512 4cb85e808960dc54fe03b5f2fffd515ae07b3648cdf4a6135151ab79ac2a46a9045f2c63a18512e4b53fc7c529d958852cf03910ba6752a55677f832f6f3e90c

memory/3040-23-0x0000000074F30000-0x00000000754DB000-memory.dmp

memory/2008-22-0x0000000074F30000-0x00000000754DB000-memory.dmp

memory/3040-24-0x00000000009C0000-0x0000000000A00000-memory.dmp

memory/3040-25-0x0000000074F30000-0x00000000754DB000-memory.dmp

memory/3040-27-0x00000000009C0000-0x0000000000A00000-memory.dmp

memory/3040-28-0x0000000074F30000-0x00000000754DB000-memory.dmp

memory/3040-29-0x00000000009C0000-0x0000000000A00000-memory.dmp

memory/3040-30-0x00000000009C0000-0x0000000000A00000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 20:08

Reported

2024-04-08 20:10

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4280 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4280 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4280 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1676 wrote to memory of 4360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1676 wrote to memory of 4360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1676 wrote to memory of 4360 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4280 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe
PID 4280 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe
PID 4280 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe

"C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\izt2q59o.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc78EA23C825DB4922B077C37195D9C3C1.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/4280-0-0x0000000074B10000-0x00000000750C1000-memory.dmp

memory/4280-1-0x0000000074B10000-0x00000000750C1000-memory.dmp

memory/4280-2-0x0000000000C00000-0x0000000000C10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\izt2q59o.cmdline

MD5 d34877a419dfda34f2d6e7b9aa9dd085
SHA1 3ea3609973656754573fda89b7fd7c03e151b27c
SHA256 74ec0f820bf2fb2cc2f10e3c7bb180baae653b3a8e467cf8ea7bc4eb79573ee3
SHA512 7aa9faa2aec21fc58a1c3f1a3f31a56b51ba6cb503aa2c457ea83ec11220e35966b11b7bd754da36172a7e77b17d733899b873354276a30c301e0b3162a61edc

memory/1676-8-0x0000000002190000-0x00000000021A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\izt2q59o.0.vb

MD5 9c40f54adda927da873394580b3d7888
SHA1 77ebf0135c5ae90916dede1e2ea0a7a01863ee6a
SHA256 e5fbe8dea4a815fb0c26f854fe36b824c0492a2b3edb0ad29c9984746439e238
SHA512 e504f389f3a61bba44148d0f6ff4e311b615dd42ffdfc834746564143151031552001f9ad6815800a060665e92592b2e9ecf037c85416a30da1396ce98b2ab1c

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc78EA23C825DB4922B077C37195D9C3C1.TMP

MD5 43f6bf1548c27835ea8efa4d1bc9c832
SHA1 8b2755572d870423d7bc59e2e459445e34d194d5
SHA256 d06cea9a7973fa02f009c3b5765974cec6ebfc2c366be913f2afd6bc5bb35a73
SHA512 023159dd2237f1ea29123068d8384908a889e03ebd395a2549deffdfdfe46ec7885c2615fa29496c7ff74228977eba6cdb408c16f04da5a92fae101dd3976a0c

C:\Users\Admin\AppData\Local\Temp\RES8B96.tmp

MD5 ca53ef55774cd2804149b8b8de80812e
SHA1 9b0512c7181e8b569b2cd98ba1c40c323fc25aa2
SHA256 38574b6ae1c68686985184deb94b92d7115b58019680a8818f1e607e97905ce3
SHA512 2e86ad93ab49389cd6fe876fcb5ef36f823f7de914a6dabe4c778312f2bd03afa2f956beda667ae35c01596107e8d59cf725c5bb4d516b52df1eb47c2604cf76

C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe

MD5 cf33f91776e01a627e172db9d65cea8d
SHA1 090dfd92c34642ece6182a8cfd2e88d250bbdaac
SHA256 41ea5b603ed43e8af125b3753d4d2b483b99a1c77e287690530b9bfe952e3cf8
SHA512 d5ea0829c96bc6ffb0a63b98bc6346147e27190adcd6ba0bfd67dac7691300fa266b226b060245c656f4d2a2c8bda1dca7e7f3060163410ba2af9c7b3640c635

memory/4280-21-0x0000000074B10000-0x00000000750C1000-memory.dmp

memory/1444-22-0x0000000074B10000-0x00000000750C1000-memory.dmp

memory/1444-23-0x0000000001340000-0x0000000001350000-memory.dmp

memory/1444-24-0x0000000074B10000-0x00000000750C1000-memory.dmp

memory/1444-26-0x0000000001340000-0x0000000001350000-memory.dmp

memory/1444-27-0x0000000074B10000-0x00000000750C1000-memory.dmp

memory/1444-28-0x0000000001340000-0x0000000001350000-memory.dmp

memory/1444-29-0x0000000001340000-0x0000000001350000-memory.dmp