Malware Analysis Report

2024-11-16 13:11

Sample ID 240409-cq5r8sfb3x
Target c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f
SHA256 c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f

Threat Level: Known bad

The file c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 02:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 02:17

Reported

2024-04-09 02:20

Platform

win7-20240220-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2924 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2924 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2924 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2788 wrote to memory of 2488 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2788 wrote to memory of 2488 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2788 wrote to memory of 2488 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2788 wrote to memory of 2488 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2924 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe
PID 2924 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe
PID 2924 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe
PID 2924 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe

"C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gslckfb1.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10A4.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2924-1-0x0000000000420000-0x0000000000460000-memory.dmp

memory/2924-0-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2924-2-0x0000000074370000-0x000000007491B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gslckfb1.cmdline

MD5 a1e3baaef8dd1810a785cbba5f7169df
SHA1 3ad2bb238d31fd62e973ce953a8693123e687a72
SHA256 7023982ff79d67ff6edad8200e66e821f9f9fc7db3c386385eba18101393ced0
SHA512 b99f3297ea646578fe148af61c96bf5bfda261daafff81545307e73b73c380018d942314377efb8aa46dede43b9597953ed1749208414fe61be08048eb61df98

C:\Users\Admin\AppData\Local\Temp\gslckfb1.0.vb

MD5 a51b2cc2281e84e277b88f3d59a8876b
SHA1 9058e550944e25621587ae06643cb3fac1dc9bdf
SHA256 ee0dc9b6257b5d56683e5b5118752f8e094d50c05fc51c5a2a4cdb757ee2b2fe
SHA512 bb80c82d5235c1cf09044be7d797b5ed0a73ae13f357d8ecddf6a87def2f96f5ba085c9c8d5c8f4b6a592d7e695c9a0b6cb3f829132cd4c7fcf7b67ca52f0b51

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\RES10A5.tmp

MD5 284c52bdd29b694ee0f9214b19ba2184
SHA1 67b18af547eec0f8ccddfba60cd7f2009675df9a
SHA256 c083ab2b5b6c4175a0e2144aacb3d808870a0df774cd48a1c07a7cf71216b48b
SHA512 411c7d0733e29839efe29b7548a33f9d2373449f7bc7f0b5cbf7a9e66c1277d4398971652fd2c98d498111dea271b194392a8e5d20dabd405d945a3831b7c5d0

C:\Users\Admin\AppData\Local\Temp\vbc10A4.tmp

MD5 d979edef66b3df98dc9a0634d522bff3
SHA1 5861bdec043fa120522dc8b3472773849082cf92
SHA256 25db1340baaa4ddc94a040e59570d62424739c255d07cf4ef290e7c73cf94b68
SHA512 1b849429cae3050e2085a2828df3ab5c6e621e654105c85566e1c91ecc72553402db57636264ed85d692d3d0c8fe5bad486fa2270da5e0ee35d8c365e0ceaa3c

C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe

MD5 0b17007c9b02a011206ff53f78b36c82
SHA1 c7555eeb46b08b062b3a777e9fde7e13fa5b8f76
SHA256 af6c1f76eacc1b96d7850042858d3325aec8adafca71e331cf1b5dfbb03f9afe
SHA512 ca2d0fcb69682034709299d7de41dce097e5fffbbebdb4e5086762fff36d0a39369d3277541c41ce4d5ab31ee21d5f163104e9e1dee6b2302c151f906cbbaf75

memory/2732-23-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2924-22-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2732-24-0x00000000009C0000-0x0000000000A00000-memory.dmp

memory/2732-25-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2732-27-0x00000000009C0000-0x0000000000A00000-memory.dmp

memory/2732-29-0x00000000009C0000-0x0000000000A00000-memory.dmp

memory/2732-28-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2732-30-0x00000000009C0000-0x0000000000A00000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 02:17

Reported

2024-04-09 02:20

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp409E.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp409E.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp409E.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4604 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4604 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4604 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1008 wrote to memory of 416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1008 wrote to memory of 416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1008 wrote to memory of 416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4604 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe C:\Users\Admin\AppData\Local\Temp\tmp409E.tmp.exe
PID 4604 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe C:\Users\Admin\AppData\Local\Temp\tmp409E.tmp.exe
PID 4604 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe C:\Users\Admin\AppData\Local\Temp\tmp409E.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe

"C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3ijilypt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4958.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C2F337376074A70ABA0D5227F4A1DF0.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp409E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp409E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/4604-0-0x00000000750C0000-0x0000000075671000-memory.dmp

memory/4604-1-0x00000000750C0000-0x0000000075671000-memory.dmp

memory/4604-2-0x0000000000D50000-0x0000000000D60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3ijilypt.cmdline

MD5 256279271b9a8ed728a6d99ab61cd52a
SHA1 6e96907a641e7203e466e945dc68fd4a608c258e
SHA256 2f4692f0befcd3502921442feb5c3c002e6fedffe6bcedc901d4b6b79333e60b
SHA512 a5dbd869ad8f729057bb11fc0d392a3ede560dc610d152839df4c952332df2c8ebbe36cb4de6d6523ff62f25aa75c0d08706703ca3950a67828a6840734682cf

memory/1008-8-0x00000000024C0000-0x00000000024D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3ijilypt.0.vb

MD5 1c1db4bdbf7a36f80233c2342c7eaf3d
SHA1 06cbe7307636bee8985d0ad62296f481b09c4d6e
SHA256 2a2073f651af8edc46a1413e0cce8b70b3b780bafd72717ccca12ec1b57e94b9
SHA512 772db3185d4c7b08e052bec9fdbf19557f3e855075bc4821215279108cd8350508f9a9b78c013acd92908ed7c6fff4b9e12934ffdf7cdf28f8b0bf60f3548ce5

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc9C2F337376074A70ABA0D5227F4A1DF0.TMP

MD5 55df8a760691da0b3123e5d805652096
SHA1 965f01c3e45bc874edab739a8562a003d26b6c3b
SHA256 0b9e58b4e98e337f6ff0bf1fec6e417ef04cb9f2085aa5a1eddfc0ff874ba878
SHA512 d024d3f7a85a2a7ff0d773b90f25ab89a7269d4791deeeb74cc40515e11661d78053048211011ba674b3bc0e9e8f2bab2628946808c6393e9d1e6b8afbbdd1f2

C:\Users\Admin\AppData\Local\Temp\RES4958.tmp

MD5 e7d2dbacdca9db6988562cbf44683450
SHA1 724f2d0126dcf775b0474dd7a24a65000a829775
SHA256 289654365566e5c588b5311ac58cd43abb6063a15a682abb3326481ad88235f1
SHA512 25d19e585b579e1a3a842bf611a39de69c124eaf9c0e700556c42dcfd09af97aa9c1a3fcc3827ffb835245146ef279ceab7877f29ac49e771b7392f8a24ef7d4

C:\Users\Admin\AppData\Local\Temp\tmp409E.tmp.exe

MD5 36c9130c2244e461360d9f777e122eff
SHA1 a56ec0d8a87cf6be14baa314c99511e54d47c615
SHA256 418382088e7dc1a93912923b6510937dda044ec258b397f8fc35271f853c9f3a
SHA512 624dccb947eefa6c6c2583aea8a7f9a96e54b1d43ce879092f3f2d304fce74af20e2b9d33b52e66f4cf73c3d11231a4ddcd8b34279908ac440b7034b404e12d2

memory/4604-20-0x00000000750C0000-0x0000000075671000-memory.dmp

memory/4604-22-0x00000000750C0000-0x0000000075671000-memory.dmp

memory/4632-23-0x00000000750C0000-0x0000000075671000-memory.dmp

memory/4632-24-0x0000000001470000-0x0000000001480000-memory.dmp

memory/4632-25-0x00000000750C0000-0x0000000075671000-memory.dmp

memory/4632-27-0x0000000001470000-0x0000000001480000-memory.dmp

memory/4632-29-0x0000000001470000-0x0000000001480000-memory.dmp

memory/4632-28-0x00000000750C0000-0x0000000075671000-memory.dmp

memory/4632-30-0x0000000001470000-0x0000000001480000-memory.dmp