Malware Analysis Report

2024-11-16 13:10

Sample ID 240409-2jth3aaf8w
Target 533e73f658e25e20e180b9045ce845b2
SHA256 f056d4c1f5d092f69f43e0de63be99d70ffa7e4edf55cc20df05a76ef5f7ac9b
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f056d4c1f5d092f69f43e0de63be99d70ffa7e4edf55cc20df05a76ef5f7ac9b

Threat Level: Known bad

The file 533e73f658e25e20e180b9045ce845b2 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 22:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 22:37

Reported

2024-04-09 22:42

Platform

win7-20240221-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2240 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2240 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2240 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2288 wrote to memory of 3040 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2288 wrote to memory of 3040 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2288 wrote to memory of 3040 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2288 wrote to memory of 3040 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2240 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe
PID 2240 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe
PID 2240 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe
PID 2240 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe

"C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pej9ivt2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16FA.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2240-0-0x0000000074C40000-0x00000000751EB000-memory.dmp

memory/2240-1-0x0000000074C40000-0x00000000751EB000-memory.dmp

memory/2240-2-0x00000000005D0000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pej9ivt2.cmdline

MD5 23b4dc84bae92c9b5d4010255dfa7fce
SHA1 23c1e825c99257407ff981463a1d3cac869cf1fa
SHA256 cffc988b884fe020ea530a15bc034ee3f36857cdbaa387cd707852961c6b6fcd
SHA512 048bda1a059320008c7ad4c9765cfd224ee163aa4f516f783bf7d77d3471c7c3a04535f18285ed734d796e23d391ca4f0637d79481a5d70f9724c6abc84925d6

C:\Users\Admin\AppData\Local\Temp\pej9ivt2.0.vb

MD5 24a2b2d619451b5a630d04eb94917b89
SHA1 fb1f24e9db6114aa016cb9fb554b04290e9629ee
SHA256 941f2a9c695d53b61d41d01d0568ff4252bce76a9ada809913b6799b839f3ef0
SHA512 989dd22646d0e2c9eb2efe933b15635101fec5ad463a98c6777a993d7b1189e26b0130f65b9119acd17ece674e02e06d82ca2810bc5dae0744df314c34be6acf

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc16FA.tmp

MD5 b1ba0620b9b7c160d729a9e9ce3a41fa
SHA1 f4dd034075de92027661e86f44286d76b82994f6
SHA256 3276aeeb68af6503a2bec56d9b557c57f57a8bccc4274eff5f0720d7fc54746a
SHA512 891a62d4fc0a39427f057507ec61a6fb17e5113050cfb65b09f9597a6bb16dcaa317600e6abf10be2e9cbab82997c1fc22212a309c31732bcf68fdac94583515

C:\Users\Admin\AppData\Local\Temp\RES16FB.tmp

MD5 028cbfc08828ac47fc4d2a451fbf6cda
SHA1 9484738a2d96142004da5b637395ba0f225c450a
SHA256 c6db588c19bc38c644e0ccfc0aeab04176ba2855263979a4f0b7974cef5240ed
SHA512 fd80fece4b19bfcf96538ffd4f4190a6d1ba1bf394b199bc529f96854e25d11056e498606d3df816cf2542dd188e8a1a99d75113ef5e333fe6f79f36d1b0f0e5

C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe

MD5 d00d7a305464158140d4962bfc454e8c
SHA1 f27a7d70ab6dee03aa621fee7b9d6e001da68c9f
SHA256 5c0e28c33431f3779c33d88cdfe235a6df0da884833dbb99f6dc2e368e4f6ab3
SHA512 a5626432ab2c4ec363038c559d0f3e76f89999e15dc515e6afa87462913556e77bb07927d9e5e1dacc7d98da3af03437e35f23cc42fa8e912d51b8195ad08dda

memory/2240-22-0x0000000074C40000-0x00000000751EB000-memory.dmp

memory/2568-24-0x0000000000A40000-0x0000000000A80000-memory.dmp

memory/2568-23-0x0000000074C40000-0x00000000751EB000-memory.dmp

memory/2568-25-0x0000000074C40000-0x00000000751EB000-memory.dmp

memory/2568-27-0x0000000000A40000-0x0000000000A80000-memory.dmp

memory/2568-28-0x0000000074C40000-0x00000000751EB000-memory.dmp

memory/2568-29-0x0000000000A40000-0x0000000000A80000-memory.dmp

memory/2568-30-0x0000000000A40000-0x0000000000A80000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 22:37

Reported

2024-04-09 22:43

Platform

win10v2004-20240226-en

Max time kernel

166s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe

"C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kb7dofuw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE162A4E3991641CEA62ED6FC4E7724.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.exe" C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 tcp

Files

memory/2776-0-0x00000000754C0000-0x0000000075A71000-memory.dmp

memory/2776-1-0x00000000754C0000-0x0000000075A71000-memory.dmp

memory/2776-2-0x0000000001050000-0x0000000001060000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kb7dofuw.cmdline

MD5 cae731d0dd975fd187ff4623e5605411
SHA1 36cee2ed14095ddbef490a6e50bddfb6495aaa0e
SHA256 682f6e336ce9260eada226d984f9a12eb7fff60e2f8d5a95541ea5e0293efc73
SHA512 83c9c36c4509a7b2da076fdba010b2043d9d2f162b3742d3a0e47ea1a27962864559f34f744f7c7cf63c8a127ae03f4fd20947f8ea6c14b72ad01fe451c17769

memory/3232-8-0x0000000000B20000-0x0000000000B30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kb7dofuw.0.vb

MD5 af4b12c61c4adcc5a2dba03ebd69fedb
SHA1 55fe56a35f4479103de429df9e6631a953f04967
SHA256 d903ffd4c904c46517a7a24551897bdf8c0c41ac377cf6c584ffd073de3f25e8
SHA512 bb8710bed306c8f51cbf2c4fca41eb03e18b8e15b3599fe5ba99a8e064c2ce6a1220b980b13317810f2915d0e44355ba83eb4630614283087196724df46c7543

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcE162A4E3991641CEA62ED6FC4E7724.TMP

MD5 c64da5017f63f23f8c2b7c8ead32b6ff
SHA1 1fe4c3b8ddadb32ff681876fd52f7603206b96cc
SHA256 f30c4fb8ac06eddc7918aee90ac462a90ed025d44138c9c9c253a15f31a1a7d9
SHA512 5c1ac71c5170a49e4477dbdfa0fed40c3e88db00301ab559e8b80217a4335a18d086e0d30d2a48bcefa7ed9f740a73f22619dba88cc8a4089d5ea16de94a7b98

C:\Users\Admin\AppData\Local\Temp\RESB6DC.tmp

MD5 07ad441c8aaf09f21b8494b2917f9cff
SHA1 cf12b6a539aa949546c86623b716e92f628f6167
SHA256 995805866a9d3a7e02e53e305dd2466139ecd09da8d5158cb720178ee46254f4
SHA512 0759a328bed3a4ad4a0dd2d4934c4bff7c9ec895627692c8dad21e25ff3d029aa67e93cfa7e9828a08ee57c08bda45a698b2deeeec33783f8fbeec10d905fa3d

C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.exe

MD5 001732e7d7026e54f46fa2290df9f84b
SHA1 29688c931ba0b071fec975e71be73c95626e8b05
SHA256 ac5c9580d0309fbfa108a824c305a850411b7f448a5bb4ca87f9fdc66e2ac6f1
SHA512 f0c15ccef4feca4cb14ebba7469895afba260a5dd37e9e4845e57295df35536541e9d35dc79d2493d3545eb2febc45b662cf5623924ee80dda34384e99532c6b

memory/2776-21-0x00000000754C0000-0x0000000075A71000-memory.dmp

memory/2056-22-0x00000000754C0000-0x0000000075A71000-memory.dmp

memory/2056-23-0x0000000001100000-0x0000000001110000-memory.dmp

memory/2056-24-0x00000000754C0000-0x0000000075A71000-memory.dmp

memory/2056-26-0x0000000001100000-0x0000000001110000-memory.dmp

memory/2056-27-0x00000000754C0000-0x0000000075A71000-memory.dmp

memory/2056-28-0x0000000001100000-0x0000000001110000-memory.dmp

memory/2056-29-0x0000000001100000-0x0000000001110000-memory.dmp