Malware Analysis Report

2024-11-16 13:10

Sample ID 240409-b5vp5seb21
Target bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4
SHA256 bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4

Threat Level: Known bad

The file bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Deletes itself

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 01:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 01:44

Reported

2024-04-09 01:46

Platform

win7-20240319-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2056 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2056 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2056 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2224 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2224 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2224 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2224 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2056 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe
PID 2056 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe
PID 2056 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe
PID 2056 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe

"C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xbrcrwjm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36C9.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2056-0-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/2056-1-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/2056-2-0x0000000000190000-0x00000000001D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xbrcrwjm.cmdline

MD5 c1c87d1628db3668afa4cc23f3a2d564
SHA1 4f8423b15a614ac42d07958a782f346d30724600
SHA256 27cb52399ce68c276b0449ede20c750759337ba5d6bc08f8c8b774c2cc1d34d6
SHA512 4728af2b63d5439d5aab8f3ef2f25f5d9cfc85ec30a08119d9f9514558cd2b38b3f3d2524c863604d4261e9530560a952a684a99225fcffcfeb6efecbfcd7e06

memory/2224-8-0x0000000002080000-0x00000000020C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xbrcrwjm.0.vb

MD5 f46c55b6878355ade8ff0e87f577223d
SHA1 dd2bdd4ec5e239b25ac79d9f68ea0226af9bae55
SHA256 0420f7331ea5392e3664e44b8b7a2b13e172cdde15df43d71c2e7d8900647f47
SHA512 045d889de0f519440db2b40b82790472d95670c683135d6644c0f1f06334df284198fc3dff8de69dfa6167cc061b70812389918f46115e13acaf03a62a5f91af

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc36C9.tmp

MD5 6f3a2ecc71fc15051b5a2c6bd034f44a
SHA1 841fe25e569fa8ea6af7d3c78ab2a400733efba4
SHA256 b6bd3c72a57345964c9bdcfeb27bb07a77d63e599a2b04241cb8b45c61da5290
SHA512 0fedd42471433e5b9faac1624f29d6c6c6f9ef302f488ee7234576cf4af3dd1810e25c44d527f6777cf2e062905388a1e098aa4e974fb53b4eba35aa66228a1c

C:\Users\Admin\AppData\Local\Temp\RES36CA.tmp

MD5 40def61c906d6b9232e8af5d1804b84d
SHA1 ccf8a872557643e3076ce2ad3600221f3668c58d
SHA256 d916119339d4da740b02daaa6566b3d11c53f76cdbe21bf18e1bb75850aa6d53
SHA512 290d1451f7fc53daacb434b43dcfdcc251cc2a0bc689f49a652211df4c7b6a06990179c5f406a92f96dbed9eeadbcafe8b7a8b26aafa79f90e2c09cf55c589e4

C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe

MD5 88f133acf1e180fbc0c243a360590c0b
SHA1 d943716e5faa25cdc760ce5df284c2bb6fc10d87
SHA256 24e8ae52427b97587291c09a5a184d22e6e5d339e9ff83f285a21251aeaa1b22
SHA512 aebaa84f9ac8a6f32e5a8283bfe3b274dcb3d276374af74571e987bee2f17bb088882da3c28587bbab2174680ae6df44ca86ddf6d4183f48dc88c234961cc207

memory/2056-23-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/3020-25-0x0000000000640000-0x0000000000680000-memory.dmp

memory/3020-24-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/3020-26-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/3020-28-0x0000000000640000-0x0000000000680000-memory.dmp

memory/3020-29-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/3020-30-0x0000000000640000-0x0000000000680000-memory.dmp

memory/3020-31-0x0000000000640000-0x0000000000680000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 01:44

Reported

2024-04-09 01:46

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6263.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp6263.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp6263.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1252 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1252 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4856 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4856 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4856 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1252 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe C:\Users\Admin\AppData\Local\Temp\tmp6263.tmp.exe
PID 1252 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe C:\Users\Admin\AppData\Local\Temp\tmp6263.tmp.exe
PID 1252 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe C:\Users\Admin\AppData\Local\Temp\tmp6263.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe

"C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\knhp8dvp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDFE88762A37D4EEBA55B71EC8A82C26.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp6263.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6263.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/1252-0-0x00000000749A0000-0x0000000074F51000-memory.dmp

memory/1252-1-0x00000000749A0000-0x0000000074F51000-memory.dmp

memory/1252-2-0x0000000000EF0000-0x0000000000F00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\knhp8dvp.cmdline

MD5 2b530c149de5da6b6595f55e1392a2fe
SHA1 96371eed71dd0f7cb6bbbd107ce469a50325f094
SHA256 990487debd4ed2a952b95f9b2ac5217950eef5dda94319d585fa890904ae922b
SHA512 128795b011b50f4aa13b443ec88e79a17a3426a3f4e73dc1ac27876716888c86e579847f2beade74dc718e53298207ecafcc2307f218364a77a3df4f803b3989

C:\Users\Admin\AppData\Local\Temp\knhp8dvp.0.vb

MD5 8b21dc7ba1c92eb6f57c021dd15b5ed4
SHA1 3b153035cbadf1defdfc9ee095141181620e244b
SHA256 aa048b07b6de068efbe12f8014d4fa3f6eb369adc93777c2d70615b1bd8768bc
SHA512 ededa352133cafe9486b58bcf95dede456abd70813a905a232a7bc9d97baff63abec203c267c185f9fef317bb51205041de21b7200340329110fdd0f319f2aa3

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcDFE88762A37D4EEBA55B71EC8A82C26.TMP

MD5 ea0fee970814444022e7f5dcb6eca796
SHA1 8442db36aec5a3c5d90ad7575d8c2473fbcf2e5a
SHA256 6ec45616458fdc27a9140b8358d4e081118b5d21755fd4091da9ff917b6c2853
SHA512 fd9e17b8d2e60adcd314cf5038a4b85e68c40d671e87f4a53fa17ad4c33fe889f468b60c84f8fd1b7fcbaf1353545ebf202f6c736ee2f914dea50ced03ec3f70

C:\Users\Admin\AppData\Local\Temp\RES63CB.tmp

MD5 e09f8d68dbd3b3bbf2e58c51d7ad61f5
SHA1 83607c15aad2e4c537302ea3adf0d6553123ead2
SHA256 bad7a01b3b11557308154c5e9bf39fbf1dd2d612d69c8b107e8ea2ad98433beb
SHA512 74340022e9b1acf53d6921b44c50bbc89a1e8a3b5b1824e89b6116315624e3b90026fa69ed00c993631f2bf87c873fd28ec0e9c303763ec4ef22015ba967cf52

C:\Users\Admin\AppData\Local\Temp\tmp6263.tmp.exe

MD5 e04e40515e89bae3bc8ca8f48bdae7c8
SHA1 35350fa796b5c58bd038c3d9e58241e7393eda44
SHA256 22dc70cbd9a9c4afae62704b8799688100637ba72e16da5d100705e86fa82389
SHA512 6492b9eafda5be39ac2a89ff4b4ba7dbaee66e30d896b638ea2663fa20d46d75ac9a5b4e64754f0068a439564a814e7f96974431d312b53ee698af897edf0cae

memory/2464-20-0x00000000749A0000-0x0000000074F51000-memory.dmp

memory/1252-21-0x00000000749A0000-0x0000000074F51000-memory.dmp

memory/2464-22-0x00000000011F0000-0x0000000001200000-memory.dmp

memory/2464-23-0x00000000749A0000-0x0000000074F51000-memory.dmp

memory/2464-25-0x00000000011F0000-0x0000000001200000-memory.dmp

memory/2464-26-0x00000000749A0000-0x0000000074F51000-memory.dmp

memory/2464-27-0x00000000011F0000-0x0000000001200000-memory.dmp

memory/2464-28-0x00000000011F0000-0x0000000001200000-memory.dmp