Malware Analysis Report

2024-11-16 13:11

Sample ID 240410-w175wsfh55
Target 071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd
SHA256 071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd

Threat Level: Known bad

The file 071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 18:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 18:24

Reported

2024-04-10 18:26

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2132 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2132 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2132 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2572 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2572 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2572 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2572 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2132 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe
PID 2132 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe
PID 2132 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe
PID 2132 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe

"C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kyoijapj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2711.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2710.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe" C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2132-0-0x0000000074A00000-0x0000000074FAB000-memory.dmp

memory/2132-2-0x00000000000D0000-0x0000000000110000-memory.dmp

memory/2132-1-0x0000000074A00000-0x0000000074FAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kyoijapj.cmdline

MD5 bd1642efa0803d3b1996eab8689ed3c3
SHA1 4ace649d6536dcc2bf367f262596c7e4f8f85f2b
SHA256 132a5ea28c76113dcfedbf0a1a7044d6ce12d785c62d196405345b8ffc94c366
SHA512 3ac24cdad6ac779a36172ee7488243bcb2d9cbd72a8d7209329a7bf6ea0af145200c0c0c97a093cd54fe6aba8e5d6e12af1a6d2ece60acb4953f1fc2b3823727

memory/2572-8-0x0000000000750000-0x0000000000790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kyoijapj.0.vb

MD5 7f166286cd15a65a27c2c81cae07a325
SHA1 a8051deb0cfa168755627872ecf052dba7ecd30e
SHA256 ddc73777ba9b7178952f784c691770cca1d0e5f7fb719ab85fbfda62b01692e0
SHA512 47374204cad5d71fc7fdd7191aa7ff67b1391d05af7c6ce2439da2135232cd5fc8eab71aff3b3866331b739288787d1a8ad6fbd9b69db9c63133bbfe6f2e6027

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc2710.tmp

MD5 5515fab6c292cae84a580d0d9c05e2df
SHA1 88b6865514e2668f02503a0fa05164aeaee88179
SHA256 ae2b9558f6e6dd9639d78994322f9ddf0c9e60921ca6988f270f06ff7559c269
SHA512 d039e122f342f53f82fc561a1c8f144e52d7eba176904582d1d2bf1be351d7b31da2533e823753e0b91482e21631a431a3bcad63d63a73c5b3391bacec3d3012

C:\Users\Admin\AppData\Local\Temp\RES2711.tmp

MD5 bc7f718df39961d0907d9ac0b2b3a405
SHA1 ed2dd5bf55f90305e83a3f708b2edf6aaa9e77ae
SHA256 0f1c7edb84105cb9c40368558c9f25d99d13fc9e5327ac96e371ce6b31743d3c
SHA512 93d81c9d6fdc46aa3a511bf9e5b7459e87ccb4398c311ee170f5c3d7ec36d4f23963434b8af987b24a24c906a8d12af9fd8c0bc7b62b149a8b7e67e04fa05441

C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe

MD5 1067857aa05eb71d55db05b0989318cb
SHA1 de9bb43e36c252957301ad43f78b8358ec3a54a8
SHA256 3b07a4880dd51112864fcf8d005a5ce89c8e0e9b70736c2de54ee28d6923b456
SHA512 6dcf19c1006b3466317b554da786feb3a025091724be1afadba70173c96bb6f14c52846aa94b167e55a0dc26ad6ba37b48b03ba903643c03cc170612d5dfc7fb

memory/2132-23-0x0000000074A00000-0x0000000074FAB000-memory.dmp

memory/2824-24-0x0000000074A00000-0x0000000074FAB000-memory.dmp

memory/2824-25-0x00000000020C0000-0x0000000002100000-memory.dmp

memory/2824-26-0x0000000074A00000-0x0000000074FAB000-memory.dmp

memory/2824-28-0x00000000020C0000-0x0000000002100000-memory.dmp

memory/2824-30-0x00000000020C0000-0x0000000002100000-memory.dmp

memory/2824-29-0x0000000074A00000-0x0000000074FAB000-memory.dmp

memory/2824-31-0x00000000020C0000-0x0000000002100000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 18:24

Reported

2024-04-10 18:27

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1EAE.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp1EAE.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1EAE.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2296 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2296 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4012 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4012 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4012 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2296 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe C:\Users\Admin\AppData\Local\Temp\tmp1EAE.tmp.exe
PID 2296 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe C:\Users\Admin\AppData\Local\Temp\tmp1EAE.tmp.exe
PID 2296 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe C:\Users\Admin\AppData\Local\Temp\tmp1EAE.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe

"C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\07axwebr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B70.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C334DDED914C0891754323614EE234.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp1EAE.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1EAE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 216.58.201.106:443 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 tcp

Files

memory/2296-0-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2296-1-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2296-2-0x00000000015D0000-0x00000000015E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\07axwebr.cmdline

MD5 82f8b47b3ac1e3b1418e58a2747bce84
SHA1 72998a1797f7aba714f1f4f3c084d71147d29f15
SHA256 48598ec9ec3c69ecf5b1a676769fa31c8ab0854edf7879c8108bb2e44b65d47c
SHA512 0b2ae354c85670e5862ab51338eff3c92ea9f8f5c8876d51441972bc9a5460f762f95c4a3f4c47646d660afebf6b38fb3de2647533bd99868eecc90bb8ff8119

memory/4012-8-0x0000000000680000-0x0000000000690000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\07axwebr.0.vb

MD5 125d62dd5c0c3da9e0b55cdd82afa6fa
SHA1 78d20aa110a5e47e89e5e2bed2ba16d080ec283c
SHA256 0cb6513206c6bb553fa91eedb42d3322302d1b2bdb6c1c7ac529a35cd8be5042
SHA512 e8f413bb2ce3a443542163f64181ef2fcad632ecd928d0ecb3028e3edc645de444e97bc608e80f417ad3de8394ca9eb3ae14ef995a79b9c6c481355effdb2593

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc2C334DDED914C0891754323614EE234.TMP

MD5 af2d1037c34574e25454cc7f7e180573
SHA1 f838aba1b1bddded28a9c63ca03d98a9dc3ff7bb
SHA256 efc964f5f8bb954ce7233f76f7126802a4ae830a94de7b8033263f2ce9d3060a
SHA512 e21afd2b66a514f0000aeb02304a78186bebd0b6ff4f181454434506181b30841c753f2195b0c17b530c05c84ad0dc608ea742e906e1225e4d459eaa6018a170

C:\Users\Admin\AppData\Local\Temp\RES2B70.tmp

MD5 efa9832990f552a00abed65d61dd6bd8
SHA1 0b799a297c3472822931062160230580454f9bd7
SHA256 40d3cfce1c655a4b0ac5c60b72894bf97b1c5ee5b6042dbeafc151694b3447e2
SHA512 0ce9ad79ed476fc913763a22a63287b6c51efbe381a224b12c4aafe8918ef26de671f72d68628ff5243ee123f897d15237233e255e23e55fcce6492ff0ccfc2f

C:\Users\Admin\AppData\Local\Temp\tmp1EAE.tmp.exe

MD5 179e6502c10d7c6b434e4ccead710926
SHA1 b60e2cc07520868b85e3b703614d7747ba62f996
SHA256 fadf0df7446f600802893692ee545cfae6d85007125bb61f927ec5f4dd8a4c90
SHA512 528ce77c66f45b3ff29515c56f448b82c9b09e5715f43e637a06e575272ac3078abdd4933bae7267ee1696a136f7fc30d6d77905178fa39fc5813d75ec65d18c

memory/2296-21-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2564-22-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2564-23-0x0000000000630000-0x0000000000640000-memory.dmp

memory/2296-24-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2564-25-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2564-27-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2564-28-0x0000000000630000-0x0000000000640000-memory.dmp

memory/2564-29-0x0000000000630000-0x0000000000640000-memory.dmp