Malware Analysis Report

2024-11-16 13:11

Sample ID 240409-2hf7caae8v
Target 4fe1a1507329a5809758e567869e00db
SHA256 3a8bbe0c069c3c01368596ca076d29bdb515ccf3a70feb7003419b1c48bc61b2
Tags
persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a8bbe0c069c3c01368596ca076d29bdb515ccf3a70feb7003419b1c48bc61b2

Threat Level: Known bad

The file 4fe1a1507329a5809758e567869e00db was found to be: Known bad.

Malicious Activity Summary

persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 22:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 22:34

Reported

2024-04-09 22:39

Platform

win7-20240220-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF6C.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpF6C.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpF6C.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2240 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2240 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2240 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2568 wrote to memory of 2228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2568 wrote to memory of 2228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2568 wrote to memory of 2228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2568 wrote to memory of 2228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2240 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe C:\Users\Admin\AppData\Local\Temp\tmpF6C.tmp.exe
PID 2240 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe C:\Users\Admin\AppData\Local\Temp\tmpF6C.tmp.exe
PID 2240 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe C:\Users\Admin\AppData\Local\Temp\tmpF6C.tmp.exe
PID 2240 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe C:\Users\Admin\AppData\Local\Temp\tmpF6C.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe

"C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ztpgaee2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1018.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1017.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpF6C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF6C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 tcp

Files

memory/2240-0-0x0000000074270000-0x000000007481B000-memory.dmp

memory/2240-2-0x00000000021C0000-0x0000000002200000-memory.dmp

memory/2240-1-0x0000000074270000-0x000000007481B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ztpgaee2.cmdline

MD5 6d5f8d35bcb63aa501a24d440b876ccb
SHA1 53443d4f7d9d9f1a9b1762b2798caa3cb8a22045
SHA256 ab0d570616db276137949314ea771ca4a90c45324d50d4d66d731c3eed5e406f
SHA512 0bb7305c0e6d5295a820bad278be5b9f3752e96f183ae4be37ff44d1adf10471b3ed89e366edb6b9eac320ae0077911d7ac8392e084eb3b16ba57c893672aba5

C:\Users\Admin\AppData\Local\Temp\ztpgaee2.0.vb

MD5 541b2387d72dccfb0643afb009c63a1c
SHA1 c19cd2c1e9e9fe30656b32bdea42acc1d6091d75
SHA256 94cae480f1da95f54678097caa6b0405565b91f07b24d3cd5b3a4e533edd6c80
SHA512 d5516c299e808edf192f4ad2ab12102c104643fa01f4502eeb185a8278928572e955a281d784d53a171c916b389fe48aa98b6796b9310bb512f4c8dc9df75628

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\RES1018.tmp

MD5 8e48d5fd21be2e2833837cbc0b17397d
SHA1 ee404d19e06b66d567027615b03d0c5f6a71742f
SHA256 a7753edae96f4a26b258cec899e8e3d3190421bab1f0c720456201026e45f741
SHA512 2054c86131f22ae2436a237344184509cc6c85e412aea8f183ba4b22f224d4d5e72022f553072d6145d3e4802c7b03f5e9305beea1b779267d05374017a1b785

C:\Users\Admin\AppData\Local\Temp\tmpF6C.tmp.exe

MD5 d7060a99f2d3da242e6412160a95ddef
SHA1 19264191d4d398265b029f700f253a38fc6ff57d
SHA256 ce4c4c3e6bc52e345d076cc4379af6d0361df58ac23cf4c709bbde2a409ade3f
SHA512 b5df5ea2728c7466a9346190c76dcbad4e4aeddd48263e9f80bd0c2a30c6b2188b13325caa1489c64283511d247cfaf3cadcf2645d5b2a8197f76170a903dffc

C:\Users\Admin\AppData\Local\Temp\vbc1017.tmp

MD5 ddb08454684abc98f8d946cee403f757
SHA1 0f01685d61e323da6113788afdc748bf37585b05
SHA256 10eec6f7d3b58530e5b00828a550a62b0792a7747aae7b2bc65512a0ede55f1a
SHA512 f1da2682c1fe4edf3dc814745f189d18377e1ceccec5e06b8ccb870b37962823f66c04d2c07598e6c6ae88cf108f47d1b2000142175038b8a3ab76541229ae68

memory/2800-23-0x0000000074270000-0x000000007481B000-memory.dmp

memory/2800-25-0x0000000074270000-0x000000007481B000-memory.dmp

memory/2800-24-0x0000000000C30000-0x0000000000C70000-memory.dmp

memory/2240-22-0x0000000074270000-0x000000007481B000-memory.dmp

memory/2800-27-0x0000000000C30000-0x0000000000C70000-memory.dmp

memory/2800-28-0x0000000074270000-0x000000007481B000-memory.dmp

memory/2800-29-0x0000000000C30000-0x0000000000C70000-memory.dmp

memory/2800-30-0x0000000000C30000-0x0000000000C70000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 22:34

Reported

2024-04-09 22:39

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5CF5.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp5CF5.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp5CF5.tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe

"C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\grptuqcx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5DCF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA738E937690242D49AAC505F40A3BB61.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp5CF5.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5CF5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4fe1a1507329a5809758e567869e00db.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 tcp

Files

memory/412-0-0x0000000074F80000-0x0000000075531000-memory.dmp

memory/412-1-0x0000000074F80000-0x0000000075531000-memory.dmp

memory/412-2-0x0000000000D30000-0x0000000000D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\grptuqcx.cmdline

MD5 305df7b5f098c5f336681f3e1ce83f09
SHA1 606fae96a4fc08107dd98bfa6c01adc3cf8f3e48
SHA256 02b694cc7a68e231175799bef2c5a03d5d2d6d7816734f1fa8f015005f21fef4
SHA512 cf791fff62bc830716fbb174d3a8c86c7e31f74821130783a84f7c3fc25d75f46aec2edb8dbdb29549a5383f4b2c9dda61e69df4db1b1d39983b757380a93998

memory/3664-8-0x0000000000B30000-0x0000000000B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\grptuqcx.0.vb

MD5 87b310d250bca86d585df812687e62b7
SHA1 cf88d349257d8bf4e0770cf8966e3806b416c8b2
SHA256 14626247a4cf7e866d60e90ec5caf8b29d6d7b42f3eaa9501a3568718d0aa87d
SHA512 e87e63e6cb5f3fd63d652627b3dd9e598846fa0bc8a5b54de373691c1868bf56a8c5bcc47054b82b3cfdb380e7469fc71f4d1225ff3a95830984bfd0d191a4f3

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcA738E937690242D49AAC505F40A3BB61.TMP

MD5 ac368f9e6a71c318cdd17d7bdfcf84a9
SHA1 6158a3592b37b5cea76f1cdf26d1e37b146a79a1
SHA256 e15d28ecba591a55a108d6b22f50767697aef742b5e82f3699a9ed446ccef3e4
SHA512 e62286437dd063016b944694f308e1eb398b6f989695052e73c663d7e9c77588184ad8e576516e34434b61f36ef514a16c3e275d62b1c31bc82dadad1f6d782d

C:\Users\Admin\AppData\Local\Temp\RES5DCF.tmp

MD5 2e6f76b3b79ac2c8ca1e383363830214
SHA1 397e08a9719d50912b7c28ee4ea4e6113e49d6da
SHA256 07e8d2ec0944078f36174f510fbb9b03e554f7c4cd3fe2d2ec25206f3f8ddb97
SHA512 c0d6e800432ab6bbd75973868bb07ecd9ec148c99afcb1dc8e245d09acc5d743d78337b9a459c76c5bdfd56a4e20cfe858e078c1314b8a6c258117fcfe1b227e

C:\Users\Admin\AppData\Local\Temp\tmp5CF5.tmp.exe

MD5 cc210993c25f00e2e7ffd503cf17567c
SHA1 e27ebe873bb1963c59f5a794a5cbadd4ea13a72f
SHA256 a1272646b00df4b52a056d1a2c245e1b34c8635b9b3daddf3338eb5542013380
SHA512 0a6a96bfc5bd718feef63f387703eec9966967e748ea51c03d7174f0ce0491332a480a732864759c2a544c83cbedbf81546745fdf2200a4a71f75ad92350bdc9

memory/4024-22-0x0000000074F80000-0x0000000075531000-memory.dmp

memory/4024-23-0x00000000017A0000-0x00000000017B0000-memory.dmp

memory/412-21-0x0000000074F80000-0x0000000075531000-memory.dmp

memory/4024-24-0x0000000074F80000-0x0000000075531000-memory.dmp

memory/4024-26-0x00000000017A0000-0x00000000017B0000-memory.dmp

memory/4024-27-0x0000000074F80000-0x0000000075531000-memory.dmp

memory/4024-28-0x00000000017A0000-0x00000000017B0000-memory.dmp

memory/4024-29-0x00000000017A0000-0x00000000017B0000-memory.dmp