Malware Analysis Report

2024-11-16 13:11

Sample ID 240411-xzr8qaae69
Target 1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a
SHA256 1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a
Tags
persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a

Threat Level: Known bad

The file 1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a was found to be: Known bad.

Malicious Activity Summary

persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Deletes itself

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 19:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 19:17

Reported

2024-04-11 19:20

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1692 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1692 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1692 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2468 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2468 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2468 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2468 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1692 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe
PID 1692 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe
PID 1692 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe
PID 1692 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe

"C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tbq-p7_x.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D97.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D96.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 tcp

Files

memory/1692-0-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/1692-1-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/1692-2-0x0000000000070000-0x00000000000B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tbq-p7_x.cmdline

MD5 fd83d9fc5d521718e71b37afc896ee0d
SHA1 1729fc7b4f32705ed4f3bab1758032ae03272807
SHA256 62101747b869e287d20e9c7f98bf450e2a798db69039cce0d3d90a42bd93eec9
SHA512 6d3c10f97323ff081bf2ecf114ec7463a14e17c9b18d36ca36a525c2e11bb91149115caee281547124f4920fcf352a5ef3a95b8423e6126dd2cafd2efa7ff950

C:\Users\Admin\AppData\Local\Temp\tbq-p7_x.0.vb

MD5 acbbe96d9415ba0fd9e60fd4e0735e97
SHA1 2494fc9b27066f8aaee54aa5a5ebf999ead5a7bb
SHA256 1c17bfa49a4c2943f414a83182d28c229aa224d0b22914d9bda153cf891a6830
SHA512 6b65e5fd8bd7d07b76675a92754ef70880c70aa0531d4530b9445ed352bebb8bbf4d668797d070d271a073e4c02a6593f16f8418c5fe4fd36045bd0cdf54ac92

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe

MD5 09252445d37dae6d98158434099a935f
SHA1 449991a5bae01c0c4e1f3139c11c148c65932dfd
SHA256 1722f485639057ea429cb42f0c5b44fb493aaa8f91aea44150a1676b95fe0ee2
SHA512 f4ffad86884860df0ee8134ec92d9303e3d6b51850e94da2c7e77797e03c896f289a312afb715a5b6f61dbddb8453cd38ba1e040dec8359501c2fc0d05f601da

C:\Users\Admin\AppData\Local\Temp\RES2D97.tmp

MD5 87a1a3f1493d0be1771dcf0a0052bf8b
SHA1 4f558a27309d018d293b8d8245c2c6331c66105b
SHA256 f4b6fb0f26301083b4a1bbe85884db51e005dddf7b9633c9fb195243514e29ad
SHA512 2b3d931c6bede3dd280eaf8c096b51c0d09470aba0cfde5a8fd07c624e60d23ec4d26bd04fa42ac3240e1879aad42be620f24ddb4cfe59d678ff2ed0ff2251b0

C:\Users\Admin\AppData\Local\Temp\vbc2D96.tmp

MD5 b808d16ee5c32357c3561e07586eed17
SHA1 54f68f2fce48aa1bb73646c6bdbc3f94bfdc858a
SHA256 c52796ac119a40015126db66726122f35dcd24ec79727efa83d5c82ad2de6ae2
SHA512 d5aa031613cf043826add904e6a87d4c946207b43fe271a5346a191e6ea15fdd6e567c35a2d9d7eea311fd77eaaf03847bbc2678a8f86874712c46db92e5efc4

memory/2528-23-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/2528-24-0x0000000000180000-0x00000000001C0000-memory.dmp

memory/1692-22-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/2528-25-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/2528-27-0x0000000000180000-0x00000000001C0000-memory.dmp

memory/2528-28-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/2528-29-0x0000000000180000-0x00000000001C0000-memory.dmp

memory/2528-30-0x0000000000180000-0x00000000001C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 19:17

Reported

2024-04-11 19:20

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp445C.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp445C.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp445C.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3064 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3064 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5040 wrote to memory of 3632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5040 wrote to memory of 3632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5040 wrote to memory of 3632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3064 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe C:\Users\Admin\AppData\Local\Temp\tmp445C.tmp.exe
PID 3064 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe C:\Users\Admin\AppData\Local\Temp\tmp445C.tmp.exe
PID 3064 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe C:\Users\Admin\AppData\Local\Temp\tmp445C.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe

"C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h4yskf9d.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4508.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6A878C4E15D4E44B9E3727621291FF8.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp445C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp445C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/3064-0-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/3064-1-0x0000000000A20000-0x0000000000A30000-memory.dmp

memory/3064-2-0x0000000074720000-0x0000000074CD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h4yskf9d.cmdline

MD5 3e3f1ae67ceaee3d4de447e3c2f705ef
SHA1 c2df63480144d55a3760924e24ff6bbbd01cc516
SHA256 1a558a8fde7aeee636aafcf06b6066a390648f1be71f627e1d5f689ee92a8c07
SHA512 53c919a4e6fd0c22b75198b9beb1577c797dec5673475f96b7149020e7e0e4242490f890008c25074cf9343da803272f91c57c2087bd94fd75a6209e1dce756a

memory/5040-8-0x00000000006E0000-0x00000000006F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h4yskf9d.0.vb

MD5 88f56f7799e75ba444b25f4c46f114d1
SHA1 ee363f00fb685f2a0c69cca30d814a432be5c558
SHA256 ab5fd3e16c5babe1bda7d477716c8015fcf74ec4b7d16d8073be25d1067daed0
SHA512 188aed61bcdfcc50ff8194af6ea2e35b19f2742003a7641597a2996bf2900b66d026e23c48945bcba17e527b9b565d66f21556294d05a73c844f0ede7aaf6e6f

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcA6A878C4E15D4E44B9E3727621291FF8.TMP

MD5 f85881a38d34c3a0af520bc976b42094
SHA1 743fb9d9f2d13a63a40b3ba0db1bbd1faf8d2d77
SHA256 3aa17f4bb630fd3ba61fea472bc61ca48323ae17381288d607638405be4b5f2e
SHA512 7171c258f55101743c19c968a691b790093fd796bbc0d176f238570579fd1866622b73263c13a256af4aed028f3dd500198c2e057c0bc18d76bb842b0b523cb2

C:\Users\Admin\AppData\Local\Temp\RES4508.tmp

MD5 b197d5832c67410f1ce745719ae04ba2
SHA1 660edd094e8040c3416057bc2dc46d8ec887f176
SHA256 49b7ba1cbbc2efc2cc3d242103016d2200ba612e1960c89b87b164b8cf4b0635
SHA512 84b9f04b4016bc08bf8e2da1a94ad0e81a0d2290d6cb83ed20d2018b6f40a71a013243521f9baeac8f56aa354b4d67b66d1ed62bc6f039ec3cdc526c6a93065f

C:\Users\Admin\AppData\Local\Temp\tmp445C.tmp.exe

MD5 136f6bb0f797dca8f090ec0dcf20c99d
SHA1 40ed42ec7ee0e9244afcec1abebfe6180fb69e6c
SHA256 cdfc2124c1ac3c3f4ae6d85787f86ab3b002e94543b138add1e22917cd92324e
SHA512 54424e8df0961ad4fb466c7abf46bd5d07eae8c8818997b142b01a025b6cd86b189d209ddf7d1996eda10621081d6d80576a9651fd98342914c68fdc541d4a69

memory/3892-22-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/3064-21-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/3892-23-0x00000000015D0000-0x00000000015E0000-memory.dmp

memory/3892-24-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/3892-26-0x00000000015D0000-0x00000000015E0000-memory.dmp

memory/3892-27-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/3892-28-0x00000000015D0000-0x00000000015E0000-memory.dmp

memory/3892-29-0x00000000015D0000-0x00000000015E0000-memory.dmp