Malware Analysis Report

2024-11-16 13:11

Sample ID 240408-zam9ksba99
Target 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9
SHA256 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9

Threat Level: Known bad

The file 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Deletes itself

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 20:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 20:30

Reported

2024-04-08 20:33

Platform

win7-20240215-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1244 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2000 wrote to memory of 1440 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2000 wrote to memory of 1440 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2000 wrote to memory of 1440 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2000 wrote to memory of 1440 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1244 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe
PID 1244 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe
PID 1244 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe
PID 1244 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe

"C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mens4nmz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc13BF.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/1244-0-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/1244-1-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/1244-2-0x0000000000370000-0x00000000003B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mens4nmz.cmdline

MD5 cd516cf8682bc63b410b4d8f99d38910
SHA1 bdf29115bd52db620bd3a41a21d504b19d8f4144
SHA256 dde82dd2792c36724c0492db41dfec58ecf226ae742578722b9cd89016355e29
SHA512 a800dcbbe4d7e6bde41aae2c7c5898fab4ae1f430ae16dba6ef2410ee441fff30c470db569ac8efb6fc0fa720621f0a18c87ec2dd9518216527d0af0462c52ee

C:\Users\Admin\AppData\Local\Temp\mens4nmz.0.vb

MD5 5320148874d8604e01419af688b85e1b
SHA1 21a6839c882b3531845d786d49fea5f26d1d1ce4
SHA256 5d6a69185540aaa5bbe7e790d579fed614ddca6f07f25d744f61928190c8afc4
SHA512 c6e355ba42c3b506dcbc764ff4c40953a1556bbbc0bdfeab11715cb11ecf1b76060ff0b531cba9bd976f4e27c7bd881755b2638d232a4a215e7f7aa8943fcbc0

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\RES13C0.tmp

MD5 0feab416a36edfb5a9ddef16829fbca0
SHA1 2409ca305df9d246b37cac9e05aad38effe36b0f
SHA256 5bb21a137cd24aeb4d7e1845af37c4acfb41e323875fa154775a4376a4269af0
SHA512 dc9c61f8b1429fed9611f3d7ee5cfb694dc43462d4d821441a8817c24a10cfceb757254f4dd5ce7bf0f456acdedd90d31306a5de4dca2619bbe637efbf0d3fc0

C:\Users\Admin\AppData\Local\Temp\vbc13BF.tmp

MD5 336ca875c2113afb536c44505f702a10
SHA1 51410a1e4f0bc8cfe047f259b9f56f13c32a6b04
SHA256 222d30cb7846501d09f91459ac052abace1ae961a5f3e3e9f2bd6be1e93a60d9
SHA512 04680925f907c031773c5f6097fbe1a9d43aa7b4035987a71f414dd7a084ce125f260c6dd078bc38ed62b5dde24a4d8e70014f1852f7be2b8d4087c35753048f

C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe

MD5 4881389c8ae06da40b8e86da635e655b
SHA1 0d08695406e16376689df5f8b62726c6cd4e464d
SHA256 5ab36cc1821dabc506faaef6ae40129db06e8bfcbb294ba0bf66c3e1d7ede11f
SHA512 dc928274b0da073c6cd7f36d5592abc461a677698daeb04d2cd664b8e18bb7b8594a76061e790b3a3a2a0c052f9382ae10a46fe50d0394fd2279156a96be7967

memory/1244-22-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/2900-23-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/2900-24-0x0000000000A50000-0x0000000000A90000-memory.dmp

memory/2900-25-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/2900-27-0x0000000000A50000-0x0000000000A90000-memory.dmp

memory/2900-28-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/2900-29-0x0000000000A50000-0x0000000000A90000-memory.dmp

memory/2900-30-0x0000000000A50000-0x0000000000A90000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 20:30

Reported

2024-04-08 20:33

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4404 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4404 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4404 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2012 wrote to memory of 4660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2012 wrote to memory of 4660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2012 wrote to memory of 4660 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4404 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe
PID 4404 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe
PID 4404 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe

"C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0nemvysu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91DB679839454547A21C5EAE99BE6.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/4404-0-0x0000000074D70000-0x0000000075321000-memory.dmp

memory/4404-1-0x0000000074D70000-0x0000000075321000-memory.dmp

memory/4404-2-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0nemvysu.cmdline

MD5 03599a7e611c72876f453ff6c819ee5e
SHA1 47b29ba60896d41b0d0b9755052cb4cbf81ac0c7
SHA256 0162e504266c1579176631a8124c81423f48346612bdabd1518aec1989a5893e
SHA512 e02800111e0cf893e120caa4b7b16e2657071c070624191cb36acea9053cd56a2c272ddf71ef210eb4e8c69955f9d3ce6ef9c0c65d981e0e3ffb86feed0c9817

C:\Users\Admin\AppData\Local\Temp\0nemvysu.0.vb

MD5 b8e147d26abe709def149c1c243c3c65
SHA1 8f6ca911d4dc35db1f7478ca7609b55c6138934a
SHA256 56936fa9cce510e6ea74fd77aab4080f9894e5c00695fa9a150fd62f666f0fca
SHA512 5516fae2be098e5089e5bc7b04d86cc7e16e7b2f9e23a7f23d564bb25dfab23b2d4ec353d8392c803b42a27b7dd0241b14595f7470cf5eca10319d88cd368a6b

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc91DB679839454547A21C5EAE99BE6.TMP

MD5 8b4f6e3c5ec87cd97cc24f022242f950
SHA1 4c062b85cbd269fe482f1249ff09d8bdf39a2f39
SHA256 fab93703b93f687b598cca0e4c1cfa305d5d5ae12c60cc948e95936c66f575a7
SHA512 c0ece332135c75ffb0128a6d7f53effb3edc45802c0e8bcf0106d7f109bbfb1ed74c28c511023ab982cbf2e8225083e43245d9c66fa80170e9c86a560a52b0b3

C:\Users\Admin\AppData\Local\Temp\RES82CC.tmp

MD5 9502b62767c8947ecf7656a856382172
SHA1 c41fc74bed12ef887560548b30a1dc2f087e2ccb
SHA256 6095a306964545354b3436b5884e2ad3130650a46ac6e45312493c056afca04e
SHA512 d5c8592497ebc38c9b56f70bec72e79ec0c0827dd7ce59d7e7c0e054a30a114d23d551ce80bff4524f979dec19ab7434f977c91dd129742740544745dc7c23df

C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe

MD5 3de6945359a7f84064ce519cf60b95a3
SHA1 bd23a417e5a28c393319f0d11c1903b5cffd301f
SHA256 ed28b9af0594e43c5270dfbf6ac1d1eef371d8e692d7882ccef5e060d9edeb54
SHA512 cb35dbad3482f94f1abbc6d88ab9a6665d1443f511c4b477bba79d394a776783f7366714c87019acc8368b0b7d60d44b7648f5592207c7c9aea182c56542f72d

memory/2648-21-0x0000000074D70000-0x0000000075321000-memory.dmp

memory/4404-20-0x0000000074D70000-0x0000000075321000-memory.dmp

memory/2648-22-0x00000000013F0000-0x0000000001400000-memory.dmp

memory/2648-23-0x0000000074D70000-0x0000000075321000-memory.dmp

memory/2648-25-0x00000000013F0000-0x0000000001400000-memory.dmp

memory/2648-26-0x0000000074D70000-0x0000000075321000-memory.dmp

memory/2648-27-0x00000000013F0000-0x0000000001400000-memory.dmp

memory/2648-28-0x00000000013F0000-0x0000000001400000-memory.dmp