Malware Analysis Report

2024-11-16 13:11

Sample ID 240410-nqlj5shc8t
Target eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118
SHA256 32ba87d4987f721018ceaa578714d7231ef4b7e3ca55e3b052845070b410a9eb
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32ba87d4987f721018ceaa578714d7231ef4b7e3ca55e3b052845070b410a9eb

Threat Level: Known bad

The file eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 11:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 11:36

Reported

2024-04-10 11:38

Platform

win7-20240221-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp94FF.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp94FF.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp94FF.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1084 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1084 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1084 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1084 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2272 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2272 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2272 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2272 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1084 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp94FF.tmp.exe
PID 1084 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp94FF.tmp.exe
PID 1084 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp94FF.tmp.exe
PID 1084 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp94FF.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tzgivn_a.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9751.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9750.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp94FF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp94FF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 tcp

Files

memory/1084-0-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/1084-1-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/1084-2-0x0000000002040000-0x0000000002080000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tzgivn_a.cmdline

MD5 2be4f78cbb6dfd58fd13056442d46abb
SHA1 8ac0856e37c9ccfa62d7128ce1b60a03c7b893df
SHA256 7f59dbd13cd74e1f7c2e328076eb18929d199ceb1692c0e3e60221d144edd445
SHA512 93c2ccfa8cd71bdd6c3cecc0d9c192ebb3794f5c308e6e4501aec9907ef434daa1dba6c9f5e61f79554c234bfc69199bdf3e6e19ddb765a8c1b9ab1ce2c28ac1

C:\Users\Admin\AppData\Local\Temp\tzgivn_a.0.vb

MD5 c70e52f4d61766e4736c51abcbca386d
SHA1 2cd26e46e950051e14bf142ab23026ad81e4c717
SHA256 bea3c549c673b8adfd721234c340c2e7c7810065baf7ab57a057acae9e3077c3
SHA512 f6057b592621f7b21f3151416da406d81146cffb9628357d675ee2164a11b8db568c7c3463a4d416274fcdf03438b22aceaee5cbc7937edeb5c7b25a6f25ff1e

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc9750.tmp

MD5 9c6d26e13ec7b15518a2befcd26405f9
SHA1 3c45366c0cf6ac67a03873f87382b77de77de2d4
SHA256 5f6e7c95ceb8d41220858339e97d76dd6063d683c42a1c78f28422927de88c84
SHA512 5fc6c13844df661bdc28a257fb7701f774a64e5dac0910dc5b2d6c1df6b97b07289efb14ea493fe521bebafdc2ee0cbe610f06d222df59a7d0b76145327bd28d

C:\Users\Admin\AppData\Local\Temp\RES9751.tmp

MD5 7c1c841c05bb0109bb12dac671785397
SHA1 2a89d7060fe5044dbd2ed0b9cf12701000e1bec4
SHA256 386bba971c985036913919b97ecd9ba7ddf427635660a545fc994634ff9670d4
SHA512 b99dbc1270ed9b44537f9e7ac8f99f355764f5ec616c6c1740cd204d4853ea342321cb1f5f57d48f85dc4c6b7773aaa358c1fe72eb2ee848aa6d02f79e6d4d01

C:\Users\Admin\AppData\Local\Temp\tmp94FF.tmp.exe

MD5 a8d452fa6cf66f45297250ef1ce07db4
SHA1 526e5909c1771bf3a016551caf6b10ff9cb24310
SHA256 6b2fa71029c630c6579a1b8dc44eb7504a6568b7852576d64b0527be366c50f4
SHA512 df602825dc4c45db2d6fdd7f8e0f3c9b9e0af392bb8b8bf0cf25182d7709ee2171bfb27aa4bd8b2920bd8ab9883641097aaffd4da365f3f7d1c6f913ce97a08e

memory/2936-24-0x0000000000B30000-0x0000000000B70000-memory.dmp

memory/2936-23-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/1084-22-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/2936-25-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/2936-27-0x0000000000B30000-0x0000000000B70000-memory.dmp

memory/2936-28-0x0000000074840000-0x0000000074DEB000-memory.dmp

memory/2936-29-0x0000000000B30000-0x0000000000B70000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 11:36

Reported

2024-04-10 11:38

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp398E.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp398E.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp398E.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp398E.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4168 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4168 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4168 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4004 wrote to memory of 4600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4004 wrote to memory of 4600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4004 wrote to memory of 4600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4168 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp398E.tmp.exe
PID 4168 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp398E.tmp.exe
PID 4168 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp398E.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u81ogc6o.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C38CDD1426D4BF486A0C41667E69AB.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp398E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp398E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eaf88d8f3148eece8a85cca78708dcf3_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/4168-0-0x0000000074A90000-0x0000000075041000-memory.dmp

memory/4168-1-0x0000000001320000-0x0000000001330000-memory.dmp

memory/4168-2-0x0000000074A90000-0x0000000075041000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u81ogc6o.cmdline

MD5 7576a13cae2af19e6ca64835ae301fa2
SHA1 dd5c8094c5994b0ed56d563087bb40e39c46c8be
SHA256 cb71751cf9b9d5bc210a7453d3354ba6291f80dd0919651873eca6eda0aecbdc
SHA512 626182ae45bbed73a5ad46f6b62ef6168ba6af494b79bdd5de2732fa30e7576d362dfcd80e16f96e796d4ccb38e1adfd89fb048abd97efbb87bfbe37eb66502f

C:\Users\Admin\AppData\Local\Temp\u81ogc6o.0.vb

MD5 a7580354e440f803486799279a49b35a
SHA1 828cc3e082afe1f1e73ba3c61ee6c861de4b2c4e
SHA256 ce754bac71208885cdbd5531e3f80ade26f38eaadeb02976620a25faf0f8cb0f
SHA512 809beadbd1e4b276c77fd6bf4f271d59111f02a045a2c639d8425364f3cb3bed80f08963b0d4b96daa130717161e8b340f4ea5f1343568317f4b47c1c835b631

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc8C38CDD1426D4BF486A0C41667E69AB.TMP

MD5 0fe523930f8312f880219143be11e75b
SHA1 33d660ad799797a706a9ab20e3d0947be6bfebf3
SHA256 f888a9e57977c33aefdc96ea1ca3a577b193eb7f195471ecf8e78790d6d29fae
SHA512 f6c58e7e1228f6362a8c0bf0e3e8fe83bdc04911caf04ef796f14d653986e6196e313c8f988b4da7366da0fef3c3266d19366c648472511108ba23f85c8c978a

C:\Users\Admin\AppData\Local\Temp\RES3A3A.tmp

MD5 b0a0b2572a1021cbfdb482289a062e99
SHA1 9e947235002b4929c6adcbf241db41358c0eb968
SHA256 93d599cc72d1d4fac18e12d3eb5c9fe93835ec96df0e308e287167dfe6cb22c3
SHA512 f45bf8bc329e0e10e69b77bb01043661802511eec5f898235176148e523ae5ee0a7eb870a3946229edb2b3419eb38f71160cad73dcbf996679acfd69db4f6a82

C:\Users\Admin\AppData\Local\Temp\tmp398E.tmp.exe

MD5 39e4a01165644b5e67bd32120387842a
SHA1 f3425118d22f1039f59d07d0a60fda58f851608a
SHA256 e89172245cf39983ae77e5ebaefdf3f40cb6046952313bb026a501258830f3ac
SHA512 851a3628c4950bc01694e4c5b8f130914334896d14d4c337c665f38228ef31d6d3f43d63d0b195af4211bb1e5434e13e424e3be1ce6c0d1b9801c44a21157def

memory/4168-20-0x0000000074A90000-0x0000000075041000-memory.dmp

memory/4400-21-0x0000000074A90000-0x0000000075041000-memory.dmp

memory/4400-22-0x0000000074A90000-0x0000000075041000-memory.dmp

memory/4400-24-0x0000000000A90000-0x0000000000AA0000-memory.dmp

memory/4400-25-0x0000000074A90000-0x0000000075041000-memory.dmp

memory/4400-26-0x0000000000A90000-0x0000000000AA0000-memory.dmp

memory/4400-27-0x0000000000A90000-0x0000000000AA0000-memory.dmp