Malware Analysis Report

2024-11-16 13:10

Sample ID 240408-3jekksfa93
Target 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170
SHA256 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170
Tags
persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170

Threat Level: Known bad

The file 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170 was found to be: Known bad.

Malicious Activity Summary

persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Uses the VBS compiler for execution

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 23:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 23:32

Reported

2024-04-08 23:34

Platform

win7-20231129-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2748 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2748 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2748 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2748 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3040 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3040 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3040 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3040 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2748 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe
PID 2748 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe
PID 2748 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe
PID 2748 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe

"C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\smp-owm7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc889.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2748-1-0x0000000001E90000-0x0000000001ED0000-memory.dmp

memory/2748-0-0x0000000074720000-0x0000000074CCB000-memory.dmp

memory/2748-2-0x0000000074720000-0x0000000074CCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\smp-owm7.cmdline

MD5 69e7cb35a2cfb4bbe5691028a44700a0
SHA1 ea242c2d1cd5b81fc95538aa481710b1d8e23785
SHA256 7e54d23bb3dd80d6c3e838ed7904442dfef3ef7b8b3de70ed782c5185e690104
SHA512 50c390fc5c25d48ea3fc0561cc60061342276c329550b7975379fac02591cce3688804054cde3fce4bf3e60989b20cb4fd3b6ec3bc2626546b05de13f3dc737c

C:\Users\Admin\AppData\Local\Temp\smp-owm7.0.vb

MD5 c01f9a12a067f9e810fff6da1159cd7a
SHA1 abec896c9b69a6253dc4c7ac8686a30bfc787fc6
SHA256 26901d3d408e4ad1eb5fc6b62d1df4b62db4d7f033f73f450811578c8edd199a
SHA512 509b8928fedd3376d9960535c98ca7b8a55202b6408ea28a40bf94d2b4c4125b43a19753d2ae3c48efde56b2038cf7bc90324de91f65d7866c36257a01558c32

C:\Users\Admin\AppData\Local\Temp\vbc889.tmp

MD5 aa1532241685f324fcc7bbb98141f702
SHA1 31f519675391565279d44ecb7e03f54beb26869c
SHA256 7c2d21d3efccb4e9510515aa5939d3ebf6735f51a12833387d2b3b8f728545ac
SHA512 7f960a3f4520390b304e8f00298efe2fc4e78bd607cd946e7038036c1ba88141203e81dc9516e240d678768552ae253084140b087c2433326d952a9be6b98750

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\RES88A.tmp

MD5 0fc173cff110e340b2bc236a456cc410
SHA1 9a05da13df61d79e6eb8d962eb60063a80ebee6f
SHA256 394bc77b34f56cf960c32a33e8024b74c0668dbed89664663179346d00d75962
SHA512 263f31b4dc5c4a6b3511d3355d10ae5f2fbf20c61540329f2b2778ed1a4d0594f3c88ca409b72f70113d4e85e3a8b672f38bc27c2667a231d21e131be3d6dbca

C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe

MD5 40606f2ec6a461dc4acdf4721e352c4e
SHA1 a743259c48602a3fe6646124b87ce80d8eb58cc9
SHA256 209938774aaa18492b4179808660a9f18aedc4e4fddde3ed98df9812c4a86ef6
SHA512 f82752316542359febbdd7759f239bd791614347cdb5a78314838bd70551d100a8aa9a9267bf0ea9bef42a14d01dab5bbe63acfa847f69fa8068160b06a61022

memory/2748-22-0x0000000074720000-0x0000000074CCB000-memory.dmp

memory/2612-24-0x0000000000B10000-0x0000000000B50000-memory.dmp

memory/2612-23-0x0000000074720000-0x0000000074CCB000-memory.dmp

memory/2612-25-0x0000000074720000-0x0000000074CCB000-memory.dmp

memory/2612-27-0x0000000000B10000-0x0000000000B50000-memory.dmp

memory/2612-28-0x0000000074720000-0x0000000074CCB000-memory.dmp

memory/2612-29-0x0000000000B10000-0x0000000000B50000-memory.dmp

memory/2612-30-0x0000000000B10000-0x0000000000B50000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 23:32

Reported

2024-04-08 23:34

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1712 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1712 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3984 wrote to memory of 116 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3984 wrote to memory of 116 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3984 wrote to memory of 116 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1712 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe
PID 1712 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe
PID 1712 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe

"C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kp4hknof.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3930.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2B0129462DA4BD1B3DCA238031D365.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe" C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 udp

Files

memory/1712-0-0x0000000075260000-0x0000000075811000-memory.dmp

memory/1712-1-0x0000000075260000-0x0000000075811000-memory.dmp

memory/1712-2-0x0000000001840000-0x0000000001850000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kp4hknof.cmdline

MD5 c2ed8c2bf7dbbc80c4e63621e374278c
SHA1 06554ea09a85160f8fc18fd01f668d690dc3975e
SHA256 060097ac22b7aa7cf6c4920b5d209fbf32ea2019414e64dd0024a7f54e7f12c1
SHA512 44b5c14cb37bbc5484cb42f6a6893629f72b3bdfd8f5a7332840bf0f893ff06d375a27062dfc245593d059720fa0e7ce5df2005119a0ec0ebbca1b693564e9c2

C:\Users\Admin\AppData\Local\Temp\kp4hknof.0.vb

MD5 14b4241bf77320cca978120abefce8f8
SHA1 64afb3ab2c5e8706ea96b829e4332bc89c6e5142
SHA256 a2c771a429078a387f75113b8d55177b97d049e9b43f93fea1a22c9217cc8a16
SHA512 d8ffb9960e1272345151c189fb15371c2e2058c4f6ae746dd9882161d443cc3115d830266c78dca0b3478f1995e0a10deb552aede5969c13779855857e5fc651

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcB2B0129462DA4BD1B3DCA238031D365.TMP

MD5 13be886886aeec806f9a797506b951ef
SHA1 e4f250761d470d37a7d6eb4bd7eea64808023b34
SHA256 9a754b8a5041976c30d64dd8a805e58f425ffb88dc5f88e1cba861de19a2aeb3
SHA512 dbfc6721a1644fbccf495d4c9ae7447bdd342d55de1650d99b6fe55500eb06edb3436b9a8166f2fcc30a2e17de76f616fcd3289440552064924c0ab7008d1982

C:\Users\Admin\AppData\Local\Temp\RES3930.tmp

MD5 c1e944a6d5128d5a31c3330abbc02dfb
SHA1 123be1d62cdc04c564da4cd626fafb46bd9ff19c
SHA256 75fa476fda23b7d10b8b765857fd5af3e838ced46d513ce5f9bd3a1264e993f8
SHA512 ed03cd74968da0d546a0518eaebb53225fce87d30b3dc6aa5a8667e96a8b679279129207e111f1424b30f5a9fcd20a7d4511d4bae8c1258525a5e11557230c75

C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe

MD5 4b83d2ae2139702e8e60ae651c4a9437
SHA1 64676bd279c7caca239bf949a6c75849a0ee2f44
SHA256 293464130a4c0679ff33981fe58e895b6c95a565ba003f48940cdd43c1f897ca
SHA512 c434019e512e13132509aba42c50d1b431562747d7b5e0618aea7ea291cd7e74fcbef76e79dd2f232af7eb446d393ddba0446327c58a9cf723b76f74ee73d23f

memory/1712-20-0x0000000075260000-0x0000000075811000-memory.dmp

memory/3404-21-0x0000000075260000-0x0000000075811000-memory.dmp

memory/3404-22-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/3404-23-0x0000000075260000-0x0000000075811000-memory.dmp

memory/3404-25-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/3404-26-0x0000000075260000-0x0000000075811000-memory.dmp

memory/3404-27-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

memory/3404-28-0x0000000000DA0000-0x0000000000DB0000-memory.dmp