Malware Analysis Report

2024-11-16 13:10

Sample ID 240409-a6cqaagh77
Target a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f
SHA256 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f
Tags
persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f

Threat Level: Known bad

The file a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f was found to be: Known bad.

Malicious Activity Summary

persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 00:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 00:49

Reported

2024-04-09 00:51

Platform

win7-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2208 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2208 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2208 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2736 wrote to memory of 2088 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2736 wrote to memory of 2088 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2736 wrote to memory of 2088 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2736 wrote to memory of 2088 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2208 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe
PID 2208 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe
PID 2208 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe
PID 2208 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe

"C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lw-jk5w3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D47.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D36.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2208-0-0x00000000747E0000-0x0000000074D8B000-memory.dmp

memory/2208-2-0x0000000002030000-0x0000000002070000-memory.dmp

memory/2208-1-0x00000000747E0000-0x0000000074D8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lw-jk5w3.cmdline

MD5 fb1c2cbc19c23ea533659e14c1005bc8
SHA1 c90a648a1e14393a2c95838fdc53971db42258fa
SHA256 369c5a832c5c07f31a9586d25060ad437ec337d9e1ae0c24828f006da93d05c8
SHA512 9f4ecb8d6fb6ec4f96cb29db1cd8124f206bf574e0b2d4466c7392f7cce0901b93234b7f530f95c31a53fb14ef51e75cacf72ba2171f23c3fbe6f91d207f2324

C:\Users\Admin\AppData\Local\Temp\lw-jk5w3.0.vb

MD5 6cf0a9485f36cfd64d7d8cd56f84ccd6
SHA1 501185e02d2009f5e7ab134470ed5027ec71c617
SHA256 dd07abf561e5998804796c116e821b925061ce03de1535a70a9d61b08e7ff56f
SHA512 7d18b763b2fbff71d237e1397e5ca1b916a9e069a445c7375fbdf6997328299c7bd0efb286015eabedca061ab6357c1248109b2fa89fd6ba041376942f55cdd8

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc4D36.tmp

MD5 b98e079761d2dc73bcf7675bb272bacd
SHA1 dd03d30a8bb4ab2a09a5e739b40bd97648c5098d
SHA256 f657fb8c6c316cb4dcb4ecb0170cdf4437a31f3e08ff737b755984eea87a2a35
SHA512 278e91f4264c9c6d2c3e0ef58df428bbda1bd2279dfd0562560ba0c6c4b02a2d5b07baad4b29d1a32c2e4b3b13a0a518b8611044b6e6d0dcdfc868cd06a73f32

C:\Users\Admin\AppData\Local\Temp\RES4D47.tmp

MD5 55eaa7613bea5b99569a8f50319ac3ec
SHA1 8a52b810fb2f5cd105da2e51a71a1984a7867c5d
SHA256 f12eb0ce3185562ebe17d6736380a7dcf86762be700da34aa011fcb031060f59
SHA512 a104c89324e8e9702982594c0a36ad9ee833e99735bb3332c37a4432d3d1c8d37ee0e603bff749e6a47d4edeb75638faf911c65594a7f25026e74dfeea8e5466

C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe

MD5 5c7f75ac227b53670db1af6e21e195cb
SHA1 0db3017524b890089f98a416a8ee36e4a74f5068
SHA256 ef7c13240043a54500bbb52f477e216ff17944f4123d04d1c4ca450eeb8fad71
SHA512 a935bba635e50f0bceb02fe38716ca604184d398d29272eeb6b897488cf2418c325d1a6bdc81f39cfbba4031af57ab112dd7aa46628ab95913753102fa4b4ec2

memory/2208-22-0x00000000747E0000-0x0000000074D8B000-memory.dmp

memory/2724-24-0x00000000021C0000-0x0000000002200000-memory.dmp

memory/2724-25-0x00000000747E0000-0x0000000074D8B000-memory.dmp

memory/2724-23-0x00000000747E0000-0x0000000074D8B000-memory.dmp

memory/2724-27-0x00000000021C0000-0x0000000002200000-memory.dmp

memory/2724-28-0x00000000747E0000-0x0000000074D8B000-memory.dmp

memory/2724-29-0x00000000021C0000-0x0000000002200000-memory.dmp

memory/2724-30-0x00000000021C0000-0x0000000002200000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 00:49

Reported

2024-04-09 00:51

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4756 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4756 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4756 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2816 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2816 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2816 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4756 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe
PID 4756 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe
PID 4756 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe

"C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wrkveqmm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES349D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4BD3FFD73D694E2F97E06652B7CE8E12.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/4756-0-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/4756-1-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/4756-2-0x00000000014A0000-0x00000000014B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wrkveqmm.cmdline

MD5 acabb575e424fab627f55e96e319e5af
SHA1 a40299a221e25146203ae2fa44af8c5bfe6368b7
SHA256 8f8ab63b373d7db985e815e08d02db9dd7eb8b034001419d6197c84f85acb637
SHA512 fa4f429df09c7183441556f1e008adaf271c516ff25ea44a9c7b37dd07b636677f9cfd3169d925f7848962336fe481ec56473fbc62e30b2776dd9f75a83a7d63

C:\Users\Admin\AppData\Local\Temp\wrkveqmm.0.vb

MD5 14f27bf1279da7493410456ae6eb48e0
SHA1 385c6a4330f44745201455080bd65ad96e7fe998
SHA256 0d3d11ec8050ebba969722750ac68abbc494d2c82222df1186417a41d8d59d88
SHA512 f09a3ba9cfc29a5ff1e8ded71459fcd0cbfe0e4a02b8b6cbafb893b18448870eb7971ddcc36e7e3daa9b4ddf38e93db3050c51c2fba7418af4d4f6704e0a64b9

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc4BD3FFD73D694E2F97E06652B7CE8E12.TMP

MD5 39b4288ec22c4563b1d0e0c722c8380c
SHA1 b275f3a1ab0b8b61e3988f99217abc8879bb7d84
SHA256 d5c863d76883676b97f834ee1573bcba0647141c50d3a97126281ca2c4c17978
SHA512 f0aae44531955f56235a59b3b8ec5b1e8cf81ce72415078bdbb871cf943f723aedd1680cff4b5d033d467804bb053dc7428051ec8c9d5a80eddc6dabfede4984

C:\Users\Admin\AppData\Local\Temp\RES349D.tmp

MD5 0ab7e9927132a322ffad07d6836f9bf0
SHA1 319900f331d984609b42cc31ecde139677ecc5d3
SHA256 1f3ae11edb5b340efdcba1c5ac4533788d5eb1911db292465c1f068ee2d66866
SHA512 b231f5b1032a4409b369b868b499c4be18ee50e7ddc2ad4971f3c2d52ad171d792f5cedb2ba70e3c3b72e060043fd43c4e4f8d28451146d60f93594b30b7faef

C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe

MD5 7a589baf691c2364bf44a91de07f3006
SHA1 fa4397119f14c5e585701b5d2fdfb41980597cac
SHA256 d0a45988b38d5ab15d9df72340ac5709086bcb375919790464d022233aff04a6
SHA512 d790fd27e7b007d597b1073862d9350ba4d769d3dca7ff550a2d688e87a65465c620222aa48a9d5600c0de53042549b788500311b00228c62907144301fd1877

memory/4756-20-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/3272-21-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/3272-22-0x0000000000E60000-0x0000000000E70000-memory.dmp

memory/3272-23-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/3272-25-0x0000000000E60000-0x0000000000E70000-memory.dmp

memory/3272-26-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/3272-27-0x0000000000E60000-0x0000000000E70000-memory.dmp

memory/3272-28-0x0000000000E60000-0x0000000000E70000-memory.dmp