Malware Analysis Report

2024-11-16 13:11

Sample ID 240409-2ahp7see56
Target 436b4f5121e1244b0eb49ee558b6a52e
SHA256 2d015441fc98484166fb95ae4f8814ec248344ff501f156e48a8516d9438eeb2
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d015441fc98484166fb95ae4f8814ec248344ff501f156e48a8516d9438eeb2

Threat Level: Known bad

The file 436b4f5121e1244b0eb49ee558b6a52e was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Deletes itself

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 22:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 22:22

Reported

2024-04-09 22:28

Platform

win7-20240221-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2152 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2152 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2152 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3068 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3068 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3068 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3068 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2152 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe
PID 2152 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe
PID 2152 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe
PID 2152 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe

"C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\adfgr5qz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4616.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4615.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2152-0-0x00000000744F0000-0x0000000074A9B000-memory.dmp

memory/2152-1-0x00000000744F0000-0x0000000074A9B000-memory.dmp

memory/2152-2-0x0000000002020000-0x0000000002060000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\adfgr5qz.cmdline

MD5 6c30c1a93a001a32cd95b0fb6b05950b
SHA1 5f6e9d49b4a637ec753fe0831efb3f86fd15d770
SHA256 8cd0fac973c0482e5f6edb41258bbf28cc64156059810b9e73d63775cfe36b40
SHA512 8b63c3b6bde9aa6b906f46843562e3f0374b271f773e97ffef9b5feaf705f0ddc82b0b12f577b031864c2f75326940f405a5dc733acee758a49c51d3b7399f82

memory/3068-8-0x0000000002210000-0x0000000002250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\adfgr5qz.0.vb

MD5 7dc1ad54f984d3955ab9add1e3c6f7dc
SHA1 342f260a6aa4de721d7fdcaba3038c2d67516301
SHA256 02f4b8fce6aef091f72fbc930c2bd1d2687accccc72a7740e7b87751add2141b
SHA512 62bba48e2ee14827113fa1cc13ae05b64a16213435653691443ffe2df1ad0bff1377ae3f5f758e8b269a72f0b8ce6e372f2c1f4b9193472bd7a22163bc6a4493

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc4615.tmp

MD5 00e98a83c1de8c6ae047f40eeb26a67b
SHA1 438210b3af150bb55b602030e39ee3974b47b9bf
SHA256 ba6d524118faa52d90b5ecbcc9801c46c9c31cae56965fa161d09762661b55ae
SHA512 6311b601e7e7affc0ad89b8b114461e774a2052bfe9c23a41978303c791f0d4ce391c23939c130c5cc57f4e93a3273de634152a4a117b511e47604ed65d4a02e

C:\Users\Admin\AppData\Local\Temp\RES4616.tmp

MD5 fc8e88820b8fb1294089fa0296875cbc
SHA1 4e02b59ebd83ef0dabdf1e6f0f4a5cdf1e197109
SHA256 ea5cd3f0676381948599a0fd86b4859f7a3660be170150f453841301e149193e
SHA512 f9b9154f007405ca8246fe78c88c92e6dca7cd58399649c409a6b357b9962ae86e344f0e100a9191296db472e64acf378d9882fcf171d7b0c9c57cc7351a1e8f

C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe

MD5 aeacedbb712292af587fc539700b31d6
SHA1 dcd03d5df6fece65a70e45085bd5df4fc727837b
SHA256 cd3bb7103c8a597b0ef4adf9b5d94dbc41683162c34c569d891980a7401e0cf4
SHA512 c2aa47b9a381303c8668c9d65cf8a445340204b0437030c58a76992db9d149779ad74159d1d2c4d78ae33d01ee31e234fdd37836b70581e6b1545414c31e31e1

memory/2152-23-0x00000000744F0000-0x0000000074A9B000-memory.dmp

memory/2688-24-0x00000000744F0000-0x0000000074A9B000-memory.dmp

memory/2688-25-0x00000000000F0000-0x0000000000130000-memory.dmp

memory/2688-26-0x00000000744F0000-0x0000000074A9B000-memory.dmp

memory/2688-28-0x00000000744F0000-0x0000000074A9B000-memory.dmp

memory/2688-29-0x00000000000F0000-0x0000000000130000-memory.dmp

memory/2688-30-0x00000000000F0000-0x0000000000130000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 22:22

Reported

2024-04-09 22:27

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3BA1.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3BA1.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3BA1.tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe

"C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rzqz5wsb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CBB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC97854981F402FAE1879967D3711B1.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp3BA1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3BA1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2240-0-0x0000000075360000-0x0000000075911000-memory.dmp

memory/2240-1-0x0000000075360000-0x0000000075911000-memory.dmp

memory/2240-2-0x0000000000B50000-0x0000000000B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rzqz5wsb.cmdline

MD5 bf6e2b4dbeb69a81a687cb79c8cef254
SHA1 811a7425371eba32c4315d1065b1db39924771c0
SHA256 b72346992a37118fdca3ca5c1d5467275375eefdd3b05503a287bb74b289004f
SHA512 99f290c766343ba03f63a107e6fcf1ca067e11b0c5249c04b387fc1d4e06e432b848ee659dbd12bed369fcff7e69b780fef7c591aaacc2700bf66daaa2307893

memory/1988-8-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rzqz5wsb.0.vb

MD5 9c2f9ee4841a9d3e66c7e3a2d393e1cd
SHA1 a1e9af19384fa168bb97d5412c0677a6ef9ab93d
SHA256 1798b74004dd803ff6f1e1b9727de4ad9892905ce682a77e02a3b95db65d91a5
SHA512 cbec0e0ec3eb19f62c5bec73bbe6a44b5214a5274b66e18e360af0985ac298c88ba783ae4389540f5c24cc7fa0b87028f250eadb7ed0bd4c53ce66ca4c3357ee

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcC97854981F402FAE1879967D3711B1.TMP

MD5 c2c286c23fb6ab20f4208d3714451023
SHA1 67d0833ae189414e2d4c1295a3cd4c965d3e8953
SHA256 4e44dce28415fcacd3397fe2c425e7b3e3362a35248c91650cfe6a8daa5e34cc
SHA512 40bcc27648b593e8885fad0418c57aa3fb313f773a0bb037405e068b878494d3e39217ad98ef2e81a0cd30f034442d513a3644eeab3bba4353a21ff2e1c2c191

C:\Users\Admin\AppData\Local\Temp\RES3CBB.tmp

MD5 b427b6d6f4486f2042b7ef6833c15ea2
SHA1 ead1e687da948b2c107bbb14db95f2ed6d1d6c7c
SHA256 8e57a4bbafeea23be0f5e6d00fa71e36706851929c5b0d6469d612ca398792e6
SHA512 86dbd038d6a5003dba0e8173ed508f0d0cade4b8259286a017e7c6c63853b37959cf9293abc3af6c9fdb3930f6fe5efbe50f76a8e7796852f7b1162b97317efb

C:\Users\Admin\AppData\Local\Temp\tmp3BA1.tmp.exe

MD5 c7d846f38e1adf29bc96255ccdbfde14
SHA1 fd1897836aa4ba3cd66ca6a99cdb3e4ba5f61967
SHA256 c0b636b5ffa8a43e3b7bb83a0541da5ec7a09acd50313cb077f453ef1c0a2960
SHA512 5ebb26aa8896820cd885dfa40efdf6720391e9505dd612624614639ed32fb8e2ee6363f02b1faf4386458bd14c1a28d617c0cde8ac2262a952c677735b8218a4

memory/2240-21-0x0000000075360000-0x0000000075911000-memory.dmp

memory/4912-22-0x0000000075360000-0x0000000075911000-memory.dmp

memory/4912-23-0x00000000017F0000-0x0000000001800000-memory.dmp

memory/4912-24-0x0000000075360000-0x0000000075911000-memory.dmp

memory/4912-26-0x00000000017F0000-0x0000000001800000-memory.dmp

memory/4912-27-0x00000000017F0000-0x0000000001800000-memory.dmp

memory/4912-28-0x0000000075360000-0x0000000075911000-memory.dmp

memory/4912-29-0x00000000017F0000-0x0000000001800000-memory.dmp