Malware Analysis Report

2024-11-16 13:11

Sample ID 240409-eqebdsec35
Target fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42
SHA256 fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42
Tags
persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42

Threat Level: Known bad

The file fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42 was found to be: Known bad.

Malicious Activity Summary

persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 04:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 04:08

Reported

2024-04-09 04:11

Platform

win7-20240221-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2160 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2160 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2160 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2160 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2380 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe
PID 2380 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe
PID 2380 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe
PID 2380 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe

"C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\px-ahfw1.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7198.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7188.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2380-0-0x0000000074E70000-0x000000007541B000-memory.dmp

memory/2380-1-0x0000000074E70000-0x000000007541B000-memory.dmp

memory/2380-2-0x00000000000E0000-0x0000000000120000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\px-ahfw1.cmdline

MD5 85b29a523ba931893d240c69a675262f
SHA1 279eb65f90622a3a548e5525c8a24a066178dc20
SHA256 b54cbafd61e7752e37b1434eda7d3b26a0a434ca9697a565379f5111aa5a832f
SHA512 bd6df2755bc0a80a924d83babf27edb7a4e312fc7dce4fdf58342b72183125f68a28ebea9dfc9c8f46991c7fbd9cc070c723b2575e806d29c69a24a8b2c38920

memory/2160-8-0x0000000000640000-0x0000000000680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\px-ahfw1.0.vb

MD5 5476b370d914955329081456d649175a
SHA1 eb2ed4d5a0975ef92aa06c8104c02b6eb9945951
SHA256 ccf052d74dc0f2002baf169e505306463aa279f3ab2180e4b838f3e167a6ef1c
SHA512 6e193bae518c6aef8e6d783d240d1ba09059a8e05e14734aedff3dec4fa8145b2a20a1588e9882507f49fd7ad2b1f45b78fabbfde1ba0ecd8e4901538c18be11

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc7188.tmp

MD5 0434c8a74411fe09941a055c8e1fa7a3
SHA1 145f2772c2ae3e284be729da4fb91dc7a018d50c
SHA256 ed7e62d83b232e1e1e44246574389e798e83df0263a0fcaaecaf6c0f1644c0c6
SHA512 e39f95e97a4f5c55ac042e1f0c603f16edc6aa54f7f4f42932ec5f90ad6cba7cf980ef1753b3df124b4ffdd0921929e8858ca12fe0e4811a74ba83d40fc1f1e4

C:\Users\Admin\AppData\Local\Temp\RES7198.tmp

MD5 9639cfbe7ac0a12e99420853b105ced3
SHA1 d628b3f44652130388ad1a4d1c9ec04a36abe311
SHA256 c96efe4c5f536bd59f28e9c246d5acb56cad9c95cda5fc1db1a7ae4cb482a347
SHA512 9bcda157446c15c415ba7ada10aec16789c8c664634417e6cec63658264b8af674bb3af936ef08984776b982eb276ed1e9c2dc03476abdb873c0123e6a90b297

C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe

MD5 a46e9489a690a9379161333b3ce52b30
SHA1 e979b02b839bc0e4693ea9105ffb5ac34dd47821
SHA256 21fc44d5bc5c15dc32c520dd0887b2f8a1f3369e45d1c4078f514a0d966a42e9
SHA512 46ef6566a6a48a7609cac62c717111a1371f68fedb85a3cef5eef0acdcef90ff640e8916f98c67911c16f968ba0403a50b2b607dacb9d2c2de48efb9b40d5faa

memory/2380-23-0x0000000074E70000-0x000000007541B000-memory.dmp

memory/2564-24-0x0000000074E70000-0x000000007541B000-memory.dmp

memory/2564-26-0x0000000074E70000-0x000000007541B000-memory.dmp

memory/2564-25-0x00000000024B0000-0x00000000024F0000-memory.dmp

memory/2564-28-0x00000000024B0000-0x00000000024F0000-memory.dmp

memory/2564-30-0x00000000024B0000-0x00000000024F0000-memory.dmp

memory/2564-29-0x0000000074E70000-0x000000007541B000-memory.dmp

memory/2564-31-0x00000000024B0000-0x00000000024F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 04:08

Reported

2024-04-09 04:11

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4500 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4500 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4500 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1504 wrote to memory of 3120 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1504 wrote to memory of 3120 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1504 wrote to memory of 3120 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4500 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp.exe
PID 4500 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp.exe
PID 4500 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe

"C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cxodislu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB036E4EEB0C44319D5A66D8B905D57.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/4500-0-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/4500-1-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/4500-2-0x0000000001470000-0x0000000001480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cxodislu.cmdline

MD5 e41fc44a590d9c3d5c078d7388d3ebd4
SHA1 e393dbd4cb5bd7241713d8f5d2b187d66340ecc2
SHA256 e02d0117aff4a0caf70b59d1ae83655b693f9e7da97d991a45ee1c85287c30cf
SHA512 18cfe565b9a8fc351ae53ebe2ada70f79170a9ce39db98b8cff4d9fea5d7bfdae5fa86f933f49551fc13e35022d07ef02f5a4a4796d38931c46f7a38076ef271

memory/1504-8-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cxodislu.0.vb

MD5 7f597925695a66055272d03f47e1681b
SHA1 f0b7d7c797bb7e290470e4bc66f0547928b4c46d
SHA256 bc69b8140a597338f09d9ee27bbc8fc4dd70ed51fd2f0791e2ad8c61916de145
SHA512 6260ce459c6c908fbfce8b6c2f4ebbb22c22a7c5c16cee73d34eac201b2bd6576c42cd4f10a51e275710df8161de4eb7cc3dda2dbb0fdcde680ad727eaec8fe3

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcFB036E4EEB0C44319D5A66D8B905D57.TMP

MD5 ac1c1875526d2bb63e5b30446f2d3b4a
SHA1 6988757a6b4cd708b6d2b0e264f55e7eefa195d3
SHA256 4a95ccde80d37bc2e7aa9c16ce1b5840dbe66eb4fc5cf4e1cb682873a56663de
SHA512 19e94bb259b95999d20629b3bc4825a327de758fa19fdd0cc4da2f4b8515b7afcb576f501bc32cfe09b5fad77db1b58366406d57b83ae42c5154af7fdd35cf4d

C:\Users\Admin\AppData\Local\Temp\RES76F5.tmp

MD5 1e626f0bbf56e36a72d2b208c32130d2
SHA1 5807d46589863aa54a7839ed5a1088c04eb53877
SHA256 e875bcc1a890bb7b74f7bbc996e675c42461e6fa03312a1ebcb0462dce711046
SHA512 c0d72281f79785a2fb64c66d4ee2d8f92217649e06d1c26ea22c0c05ce073c163a6cfd22943a8d5910bbae7794de872c1aaca1a31c1562ed5659001d96740d8d

C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp.exe

MD5 1aee2cd34b0cc6d444c41b4eb621e5a7
SHA1 e06becadcd18269a588a16a5e19ac96559cf9824
SHA256 c8a6d00a3b172f77394812fb7520752a132017ee41113c2c97af2c362a4bf35b
SHA512 b39fc7b769207394bb6a7f181bab35821eb063a11bfa57603b59af3c2f5a66797b3e230d96521bfeaa4f7e1ffc3906eddef161159e5de73894f2c2c55f267b64

memory/4552-21-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/4552-23-0x0000000000850000-0x0000000000860000-memory.dmp

memory/4552-24-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/4500-22-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/4552-26-0x0000000000850000-0x0000000000860000-memory.dmp

memory/4552-27-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/4552-28-0x0000000000850000-0x0000000000860000-memory.dmp

memory/4552-29-0x0000000000850000-0x0000000000860000-memory.dmp