Malware Analysis Report

2024-11-16 13:11

Sample ID 240410-yfzn5ahg24
Target 2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa
SHA256 2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa

Threat Level: Known bad

The file 2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 19:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 19:44

Reported

2024-04-10 19:46

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2320 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2320 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2320 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2948 wrote to memory of 2972 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2948 wrote to memory of 2972 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2948 wrote to memory of 2972 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2948 wrote to memory of 2972 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2320 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe
PID 2320 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe
PID 2320 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe
PID 2320 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe

"C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bm_bsgxk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc22AD.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2320-0-0x00000000741C0000-0x000000007476B000-memory.dmp

memory/2320-1-0x00000000003A0000-0x00000000003E0000-memory.dmp

memory/2320-2-0x00000000741C0000-0x000000007476B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bm_bsgxk.cmdline

MD5 d931a535563cd6f3fbfa68bac6909c0b
SHA1 7fcb224a9f105c158aba70dda018a471a9bc9088
SHA256 cec6be495ce901440c66421cebfedd39b09a1c09a1b4051394b54d12a7b19fa3
SHA512 c731c9fd6ba2bdf40ddd1475ad763b89849caa0a15cb26fcfd432fc27c8cc8e18126da3043cb4eb3d1ee01c08934e1fd6a8bab63e1fdcd79124a028f087023cb

C:\Users\Admin\AppData\Local\Temp\bm_bsgxk.0.vb

MD5 9d1612ccc8a72cfded5fa7ec9fabc0da
SHA1 2bb4d8ff2d5a244a56ed0f2efc8a51c670aa772d
SHA256 f3017413c9ffbb30ebc12bf016162f8245440d182bad5ef52bda1ab16d5c387b
SHA512 1cf791a1b46ddc2a7067a8f9163f09b259fa4c87c3c0d72ddc0122b9593d59f6ab7c94de831ef23d3b1f4852deea422bd2d0335106e89e563dd0b18aadd60619

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc22AD.tmp

MD5 7450775cbd03f82cf86939e971e28df6
SHA1 ca775221de8c8a288112565d8ab6f3878551dfc7
SHA256 c5ce81245e612960390865f679449110195af7d2b63a9b3dacc7caf7ece01be4
SHA512 5d5f9748f353803694bb022ed6ad7c412c52f098d863141e0c7338612adf020f5e53634856a293622585d886660a634cbb5311bc3adda55c308be98318c0bf2a

C:\Users\Admin\AppData\Local\Temp\RES22BE.tmp

MD5 22a2122c1630ef78909e82e2b4573c9a
SHA1 d4527a0e6edf17bb9ca238d6c3fcc674cb1250dd
SHA256 c98e5d2eda6a8499f27cd5fdf4ddf4e4813714a82ef187da51ce3637153286fc
SHA512 643afa5b2a5b05fc9028fde03fee24e770140585b68b352ae8ddfd70d4948a30df43b5b7f9ab1b1c892560b6b58467749c336b5d4cd7a60dd74f87647972a258

C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe

MD5 f2c894574183d897efefa4090c06a6b1
SHA1 6f7db1820174463a293bdcff603e2f55cc306fe5
SHA256 b6398d8ceb0481b47282fa42a650e639fdb42eedd1f7615ea52e48f5307c45a1
SHA512 ab4423d197e95b0bc8609adae23821e0692cd9de74eb152b75c0ed37d12ec8c310061fa940e5552d0884c219035c993e4f5e33d78428538b327d5292df6d20bc

memory/2320-22-0x00000000741C0000-0x000000007476B000-memory.dmp

memory/2036-23-0x00000000741C0000-0x000000007476B000-memory.dmp

memory/2036-24-0x0000000001FC0000-0x0000000002000000-memory.dmp

memory/2036-25-0x00000000741C0000-0x000000007476B000-memory.dmp

memory/2036-27-0x0000000001FC0000-0x0000000002000000-memory.dmp

memory/2036-29-0x0000000001FC0000-0x0000000002000000-memory.dmp

memory/2036-28-0x00000000741C0000-0x000000007476B000-memory.dmp

memory/2036-30-0x0000000001FC0000-0x0000000002000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 19:44

Reported

2024-04-10 19:46

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3E22.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3E22.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3E22.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3320 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3320 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3320 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 760 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 760 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 760 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3320 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe C:\Users\Admin\AppData\Local\Temp\tmp3E22.tmp.exe
PID 3320 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe C:\Users\Admin\AppData\Local\Temp\tmp3E22.tmp.exe
PID 3320 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe C:\Users\Admin\AppData\Local\Temp\tmp3E22.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe

"C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3ikqlgjt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA707452506E417491E7BE378B7E97A.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp3E22.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3E22.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 udp

Files

memory/3320-0-0x0000000074A20000-0x0000000074FD1000-memory.dmp

memory/3320-1-0x0000000001420000-0x0000000001430000-memory.dmp

memory/3320-2-0x0000000074A20000-0x0000000074FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3ikqlgjt.cmdline

MD5 d4d7e6883afa0a2350f64d02c6cfab9e
SHA1 d947222b01d0d8a1f4e32e07e73bbe41ea9ccfef
SHA256 a1a6a670306019bd662827b8066573761496725572cec18cf55dc876c0f85cc2
SHA512 9c9c00116dea53fe74e7dd8090ddcbadf8ea87f51ce95eb83027a275445d2ba6ed9e65380750526ed60ab05cdc954dd4ab1738702b5c472b7826d204041bc69f

memory/760-8-0x0000000002580000-0x0000000002590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3ikqlgjt.0.vb

MD5 014933ad9788865788e4686bdc586182
SHA1 bbef1a01851d23bdb56e24bde749c660d55833bc
SHA256 a66c7d407a2f4635ecb2444f385cf6469081fd21bb91e2a39f7f046f17374f7a
SHA512 cab30a990d7c5cea6f80e20288f53f2505efd028f857b6956f7980369073af62d4e3f707f8f433e683d5de3f0e43a31ef61e8a84c6fe5ff8ffbc4f06e7745e74

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcCA707452506E417491E7BE378B7E97A.TMP

MD5 ff460d2d5373e4746d499f92fce12973
SHA1 c2c5532ee338d15015eff3b93c3745acc66173be
SHA256 0f9ee87eda344cc2e2e1ef7917aa92494de5bfa5de97b224b56a0a60592d096e
SHA512 4b95923d4f7d6895c1c09b4ee777752c5d2dea045bad4005717e1892a6c6e1cc76673a39517614e9a9633ff43212ef8a1ddc01ea6a3d3a13325d1dad1820b812

C:\Users\Admin\AppData\Local\Temp\RES3EFD.tmp

MD5 bd3c298f6d895b9c67b8b3c592a53443
SHA1 cfd4c5ea9698a7a00024589dd6ee35cfb2ef46d0
SHA256 7551ff46594b8907b2ddcba4d8aceed3338403812a28baa9c2df2bdeb9e93210
SHA512 7f7c1ebfe6631b77136626d5204ec6d9ea88e2afb5bcbe5a389af9cf2e5e46b15c3093ff4a9ebbf683557dc5b658427a781c7bea5790945cc1527c57780b3716

C:\Users\Admin\AppData\Local\Temp\tmp3E22.tmp.exe

MD5 cbe62edd92d5054a1f25efa744b4daa4
SHA1 50978fac9c188dd1fcb49f06fc45ab6a74eb3544
SHA256 3467b3cc823d7159632cb946baaf36b78b25e12f56bc78953008b3f123e58cda
SHA512 f6899741538ebace6bc6876c84cf73d6bb86f45d8b29b506a097439c24967a371912d9781f0016749b1b1ce927faf7e936e00f66e0432c0a530bce175a5e9086

memory/4656-23-0x0000000001770000-0x0000000001780000-memory.dmp

memory/4656-22-0x0000000074A20000-0x0000000074FD1000-memory.dmp

memory/3320-21-0x0000000074A20000-0x0000000074FD1000-memory.dmp

memory/4656-24-0x0000000074A20000-0x0000000074FD1000-memory.dmp

memory/4656-26-0x0000000001770000-0x0000000001780000-memory.dmp

memory/4656-27-0x0000000074A20000-0x0000000074FD1000-memory.dmp

memory/4656-28-0x0000000001770000-0x0000000001780000-memory.dmp

memory/4656-29-0x0000000001770000-0x0000000001780000-memory.dmp