Malware Analysis Report

2024-11-16 13:11

Sample ID 240408-3rgpxaag3t
Target 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87
SHA256 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87

Threat Level: Known bad

The file 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 23:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 23:44

Reported

2024-04-08 23:47

Platform

win7-20231129-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1752 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1752 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1752 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1752 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe
PID 1752 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe
PID 1752 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe
PID 1752 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe

"C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4nsaax81.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES192D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc192C.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/1752-0-0x00000000741A0000-0x000000007474B000-memory.dmp

memory/1752-1-0x00000000741A0000-0x000000007474B000-memory.dmp

memory/1752-2-0x00000000002C0000-0x0000000000300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4nsaax81.cmdline

MD5 f68dc88b62dc41b5fa7e24529a7fc61b
SHA1 d9a8e233f02631d25d75d46eb5993db16ee4f17b
SHA256 1545062924d257a960010a3f07ece352d93821e28b8e163c9b6b57715739d2ea
SHA512 0af40eb72b7210f69842a9fbbebcb03a4059a599a40d61fa42bb52b3e9b420952b47972a789b0b31ae77fedd6d8eae0e0278c160524bf6741682085ae326efb2

C:\Users\Admin\AppData\Local\Temp\4nsaax81.0.vb

MD5 9ebf7d57bc356057f5fdc4c5f01b12d0
SHA1 feba17873ff8b61fd6919db84e89363269a531b6
SHA256 30fb8243a8456bc3ab6858b35985051110228ccbc13af8b9431ff1d619c4d6bb
SHA512 8fedaae522c9b0e8447cd99c02a8bd073f03bd19194fdac57a8589de38cdfda150ff0a4b7f903299b7dc3a719e6d53c5868fd85599ae300371d5b5839a7d86be

C:\Users\Admin\AppData\Local\Temp\RES192D.tmp

MD5 64ab1e8030d055c86229a24fa70103bb
SHA1 c85184a631cf660c792a7a050cf60de4853b0fac
SHA256 954df54413dc62f571dbd7c37f94f2183cf7fcacf0f7cf86875701b5b3a118e2
SHA512 108abcb0eb989feca6b26e553916c5697bec3dce346187e1f14442e914efa3ceb450ea8c9950fec73dc12e5e5f4a2562879bfa5ad7044c7786907c636a779d41

C:\Users\Admin\AppData\Local\Temp\vbc192C.tmp

MD5 973a5a9c42dfe1a11b3bd6bd40a4e183
SHA1 9658624d9c23ae64046c60783dd765a52e17d761
SHA256 d00f37795e0479d67ae2db5fa5b58406aea579ff9ba23ae9560ca4ad2de86515
SHA512 e41a36616f6099a1edf10a8712bf20b41fbbe4139bc7ebc5c1ee0aec28ca37bd83d3b62f40a2a833323fd2702d2e2c88982987b33ad1d240261dd459d0e74928

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe

MD5 b1e271fca54e0ab14687aa0ce04ad276
SHA1 94c19de64d24498715beefe070d1a6ec26179a74
SHA256 a4720aaeec0f4ce30b70157e54d4f5f119feecb22c66795c8e4a476c357ac242
SHA512 3b8aeb7a1752d22472da0c219553db50e8d262136482196a07090d5b84c9a579389e7f126d3fa594f6d49bc5d23493f44b48290f31038b1a495d48eb83d896b6

memory/1752-22-0x00000000741A0000-0x000000007474B000-memory.dmp

memory/2788-23-0x00000000741A0000-0x000000007474B000-memory.dmp

memory/2788-24-0x0000000000120000-0x0000000000160000-memory.dmp

memory/2788-25-0x00000000741A0000-0x000000007474B000-memory.dmp

memory/2788-27-0x0000000000120000-0x0000000000160000-memory.dmp

memory/2788-29-0x0000000000120000-0x0000000000160000-memory.dmp

memory/2788-28-0x00000000741A0000-0x000000007474B000-memory.dmp

memory/2788-30-0x0000000000120000-0x0000000000160000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 23:44

Reported

2024-04-08 23:47

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 804 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 804 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 804 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4880 wrote to memory of 2424 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4880 wrote to memory of 2424 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4880 wrote to memory of 2424 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 804 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe
PID 804 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe
PID 804 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe

"C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ddglcxwe.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F84368D210E4E029B5D84B929A52DF3.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
NL 52.142.223.178:80 tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 tcp

Files

memory/804-0-0x00000000746E0000-0x0000000074C91000-memory.dmp

memory/804-1-0x00000000746E0000-0x0000000074C91000-memory.dmp

memory/804-2-0x0000000000B10000-0x0000000000B20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ddglcxwe.cmdline

MD5 93f2eedf98b511ba9ed00a284c371a72
SHA1 64ff826407fde0e5f3f5adea6929754b927e6165
SHA256 9a1fb164316694b505063905c15009c63ba46ef21d7d6c27cd9c82510cc145e3
SHA512 af05cdce73aac71c031d75af32a36bb66517c0a0b07b8d1f905b02bae2961947caff06642b2bb461f9163d9771621fa13ca09688ec2af0d0d6fa50b0bc7a9836

C:\Users\Admin\AppData\Local\Temp\ddglcxwe.0.vb

MD5 b6bce926908a01ece9b6de39285be9b9
SHA1 0a86934ed6e6ae324dc1107b6dfac0ad18586f97
SHA256 3368c8b0790c6d346a140c9c43dcd7d704edf413b01860637eb7b8b0dfb3fddc
SHA512 d9ba3c3aac1d1632cdcb8b7e7a0e30ffa25c1ec16e0e4b40060579115c44986cbcb552c6c4ae409445ddc463eafc8f188abaee586fb6ba1b88281793f2bd638a

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc6F84368D210E4E029B5D84B929A52DF3.TMP

MD5 41a871d670dcf8c8853b894e48a9f48c
SHA1 f0a780473d149682d295f6e4164af9321de3ec1a
SHA256 d6421b6846daf19ae8c7abc8b3ce1b747217bc7b7081d744eee9ba499d6c9a23
SHA512 639dc81fcac3ba4378aaeeb147b808c4725e741b6002c83ed09a1b546552c8d2a8ec018948d24c25e5217a4bb8b5939f8a3c951bf37dc711b30aa1356ba3008d

C:\Users\Admin\AppData\Local\Temp\RES35C5.tmp

MD5 4e4c45855113bfa9cf727f19180525f9
SHA1 be0632b96e3267da2a5cd6b0b48f117b4ac4687b
SHA256 52f18438132d0966aecc70f897ca9e78a10da47de2c12c19029f6e1fc6aa0339
SHA512 b6890346523c8cd9555d95a53f77dfd450acab1ca3a144335899ec5a2bfc4b4c01493f041ade2e547ad41e11705eb87e1c491bff351d3d33c31dd7fc2786632b

C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe

MD5 aac5b67d3ffcdd026b31d44ed2db52c0
SHA1 20044222554068c3846a0d2a84084f73fb812506
SHA256 3ba73a85c5df4b31cef0a72cd06a563dcfe20dd422cd0543427f2cc15cb0b068
SHA512 d68ebcdae22f68b9e4e5cd7cd91002367f09d23278aba11c851e9aff42e050d9007b8752e90575959516d3eb0f9e337c79d9dc44e5e90652c550eb037a436497

memory/4600-21-0x00000000746E0000-0x0000000074C91000-memory.dmp

memory/804-20-0x00000000746E0000-0x0000000074C91000-memory.dmp

memory/4600-22-0x0000000000C80000-0x0000000000C90000-memory.dmp

memory/4600-23-0x00000000746E0000-0x0000000074C91000-memory.dmp

memory/4600-25-0x0000000000C80000-0x0000000000C90000-memory.dmp

memory/4600-26-0x00000000746E0000-0x0000000074C91000-memory.dmp

memory/4600-27-0x0000000000C80000-0x0000000000C90000-memory.dmp

memory/4600-28-0x0000000000C80000-0x0000000000C90000-memory.dmp