Malware Analysis Report

2024-11-13 14:01

Sample ID 240407-26yrashd4t
Target 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8
SHA256 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8

Threat Level: Known bad

The file 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:12

Reported

2024-04-07 23:14

Platform

win7-20240221-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2408 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2408 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2408 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2008 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2008 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2008 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2008 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2408 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe
PID 2408 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe
PID 2408 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe
PID 2408 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe

"C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ev99sy1m.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc22CC.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2408-2-0x0000000000330000-0x0000000000370000-memory.dmp

memory/2408-1-0x0000000074090000-0x000000007463B000-memory.dmp

memory/2408-0-0x0000000074090000-0x000000007463B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ev99sy1m.cmdline

MD5 1b268439b1d981f7e37c2b2e6d7aeb20
SHA1 7d2a9afdab429e53904b9ab3245a63215116fd09
SHA256 4c3f77311a634f6744ac23bca956e500ac9c6091b6b7914a09abb5a33bf063ed
SHA512 5a5dd8b45753481791a1ed760b150163639a4970e3723e47bcc9366df8214bed41ecd131d09618ea387521dc3a7937959bbb560f7d33dec5004d88127627c0da

C:\Users\Admin\AppData\Local\Temp\ev99sy1m.0.vb

MD5 3fb38591e1c58ebc526127f99a8ae7d7
SHA1 b4eaa99c60e689ae7061b295c6d9726887af4663
SHA256 9f35fbf5f20e431288398b83c4664c116f3207c4e65e3a0a2eef947cbdc90a93
SHA512 8af413e8588e3af88ae17214f154a623fd0afb3c2b9509051a5139ae1b91b3c0c72b33088eeaf255b1fee3d0f4126972082fe10fc93204509fc90e1f0656bcf9

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe

MD5 8bb2caa71e4ba40ea49268915667f8ca
SHA1 dbbf8ce0c2a78fe73c63e962ea877a99cb98cea1
SHA256 bcee7f683ab73b8af96062956386df5f8212368be00d7e6e58b911604cf31fb4
SHA512 a405606f16ec350a8eef533b1181ebca6f30d6498db3d42e86428d68c1378935f715e094351e0157f50e1d5e88b22b96febe51b7b0b84307408be57aafe94620

C:\Users\Admin\AppData\Local\Temp\RES22CD.tmp

MD5 bacaf2e0f018d73fe94ef853ad01fa46
SHA1 ac3e2ad14f0ca3f05443424242afc38b9ed06b0c
SHA256 ed46be4a2686a6e375bad2b771bdab97ba55913c4dfd5daf9c25a097f70d8fc3
SHA512 431c805f5f7c000872518dc2e3dce4196cfb7880524e7baed21a7a8b895a98b397af37ef22044b654581945b195db053754a8b1a074da0cda25950352668581d

C:\Users\Admin\AppData\Local\Temp\vbc22CC.tmp

MD5 dc50ae906c71dcdec15d63530401352f
SHA1 cb260e3f9e0bc2f33d325d1a16178487b26b9f2b
SHA256 e6c3266141f87ebbafe6800862b791972fa1f84a458e8e2846036686ed5dea2a
SHA512 d094ed1e932b18a5f0e188a43e7815e8a9ed84ab06401d9efb15ffabeef5a1c1b0eb330618411791994353da3a45230c9cb6237526c113fb00d56a6d8752b4a6

memory/2408-22-0x0000000074090000-0x000000007463B000-memory.dmp

memory/2144-23-0x0000000074090000-0x000000007463B000-memory.dmp

memory/2144-24-0x0000000002030000-0x0000000002070000-memory.dmp

memory/2144-25-0x0000000074090000-0x000000007463B000-memory.dmp

memory/2144-27-0x0000000002030000-0x0000000002070000-memory.dmp

memory/2144-29-0x0000000002030000-0x0000000002070000-memory.dmp

memory/2144-28-0x0000000074090000-0x000000007463B000-memory.dmp

memory/2144-30-0x0000000002030000-0x0000000002070000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:12

Reported

2024-04-07 23:14

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3572 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3572 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3572 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1212 wrote to memory of 100 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1212 wrote to memory of 100 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1212 wrote to memory of 100 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3572 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe
PID 3572 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe
PID 3572 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe

"C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zr1cdr0h.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES372D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD82972DFEBE24FF6B44C1782B2A0A25C.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 tcp

Files

memory/3572-0-0x0000000074EF0000-0x00000000754A1000-memory.dmp

memory/3572-1-0x0000000074EF0000-0x00000000754A1000-memory.dmp

memory/3572-2-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zr1cdr0h.cmdline

MD5 fa517438f1e7b1bf4eecb51efa7aeaed
SHA1 f0d985a1580a0f2c1e949c0467f8bea5cb5d5067
SHA256 1081bb6246e1f4252eb82dc989311024e6d8d4a11af61ed82d91d71e4d0e8137
SHA512 0a28d19fc377ca44164684f1b9398e3a78083b64ffd175864624b78ebec286f982fda181565a0199fae9ae351dbf62b591ae2422ebfdf47f93b147e544858012

memory/1212-8-0x0000000002610000-0x0000000002620000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zr1cdr0h.0.vb

MD5 87e95cd471ec341640b222d6b07887c1
SHA1 f394065cfa6fae1e8b8374fbd31f763326f5abf3
SHA256 a08ee8d7eed1ff1f8b271c459ab7827aefbda960a28d3ea90554ee2fbf650115
SHA512 9d5954561ff89edc3a5cb9777e182f3f98468668b6565f85d78f9244d52cf603213f9e78fb76df0ba5bfb0e269085951934dac236b6bb02fbdd5800ec3f7c7c2

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcD82972DFEBE24FF6B44C1782B2A0A25C.TMP

MD5 b1553496892911a4a27d2ba942515085
SHA1 bea09ae3f3e67188041574d75d2e23daeeba5499
SHA256 28cd7862342a930af8325e878bac1a6b9c4317c41ee672695187a2f33bd40f87
SHA512 c287f50401ff863aa4e78d9cf0d2dd6da0ba6b1bc05777c7984239f3f9f1976d162d7569453a7d465de74aa2c823d6d69e22fda6d24d9f57febefa3b84baab20

C:\Users\Admin\AppData\Local\Temp\RES372D.tmp

MD5 1594e14faa6b9a419ef51ef3bdc33440
SHA1 4be649a8e1c8aa9a3f93f35c7b066f1e48c7e1ba
SHA256 b1a59a4e3691f8dba505d9bdab5f03165f9940b9d4b62fe2d13496298c4eac1c
SHA512 c7f91e8323ed9fb3f69cd3cc048fdcb223c425afd261b7ea43985172dc8bc3850b847420323ba86229cc0a75a933ac7d554d215dcaa07929873f416571d923a3

C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe

MD5 7f06c2d19f253fa1728a33115459f989
SHA1 3533a3e4c2e5594c52c57a7ab2e3e0227e546e40
SHA256 5eda6d03065a63a873f0611f94c72ca9ee416d64cb3547355ca1a7536eb64eb6
SHA512 e102893ff1f275f9b964266015fa42596e9117b0b7488c1480840210d9795d8bee576da626a90828aa158687cc20163a9adba05d5916583abc234325b58bcff8

memory/3572-21-0x0000000074EF0000-0x00000000754A1000-memory.dmp

memory/3316-23-0x0000000001790000-0x00000000017A0000-memory.dmp

memory/3316-22-0x0000000074EF0000-0x00000000754A1000-memory.dmp

memory/3316-24-0x0000000074EF0000-0x00000000754A1000-memory.dmp

memory/3316-26-0x0000000001790000-0x00000000017A0000-memory.dmp

memory/3316-28-0x0000000001790000-0x00000000017A0000-memory.dmp

memory/3316-27-0x0000000074EF0000-0x00000000754A1000-memory.dmp

memory/3316-29-0x0000000001790000-0x00000000017A0000-memory.dmp