Malware Analysis Report

2024-11-16 13:11

Sample ID 240411-cee3fahd65
Target b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a
SHA256 b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a

Threat Level: Known bad

The file b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Deletes itself

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 01:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 01:59

Reported

2024-04-11 02:01

Platform

win7-20240215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2484 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2484 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2484 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2496 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2496 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2496 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2496 wrote to memory of 2612 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2484 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe
PID 2484 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe
PID 2484 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe
PID 2484 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe

"C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wugczifs.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AE1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1AE0.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2484-0-0x0000000074AA0000-0x000000007504B000-memory.dmp

memory/2484-1-0x0000000074AA0000-0x000000007504B000-memory.dmp

memory/2484-2-0x00000000004C0000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wugczifs.cmdline

MD5 d89b5c48de5ea74b9c8a7235a778af67
SHA1 125864f1fab174ece89b872e249e58680b8c3dd1
SHA256 ee18c30d10452c1d1dce36d5207c385d4eddd70dfa1a7b446b9048ba0a23f412
SHA512 0f98379b58840e97836655c4021b758110f9c096e7be318c9f59854e8e7aeb612f657ed30bd47236c3750d443ac20e3d56e456976020c38be01d9d53c7ade568

C:\Users\Admin\AppData\Local\Temp\wugczifs.0.vb

MD5 f57009636b4d06606014e7b4a7dc1cb0
SHA1 3813a628e74af7e5ad1510e10a3794d059acfb8e
SHA256 c2de535d8a01aa0046e4a030f3509ce524056450d3f39631322869fc77725fc6
SHA512 722a6ed348dccb6a578a50c82eb9da6454d30c3def5469ae6c082e670a9632d4d46261e752c3d5c022f0d1bcbf2262ab964fb95cf776272f8f85d11d861e2e32

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc1AE0.tmp

MD5 bd508733cd568487c7b25c38cc2e26fa
SHA1 a3bdd2dbdaa0fdb1d841832be5d4ab2abb9a1747
SHA256 8ca4fcce51d195d000b4d94a1539065eda2ee418c4022225f5a5807321cb9025
SHA512 89db2f0fd5fe44c46359174aa490e81287a2f4ebfd9fee88155687f4365b17361f3384cfe2ff27f808d5535b81f6cd5a68d3966dfca64afdabdf0e7cb4ce77d1

C:\Users\Admin\AppData\Local\Temp\RES1AE1.tmp

MD5 adc9b0364417ef9839dce70a805a1c55
SHA1 cf8a6084002164a3ce745842bc1e5ce5a6778181
SHA256 f70a45cd2eb9f87aa681575892fe76b57aca1222c2e9820e9f2ab2136fbc1631
SHA512 910fa041dea1fd3ac5f644c5d341037846bd9df6c9bd9a16a29b3e8ddf4fb127de527688cb14de0d1b5326b9c394cab7e50b7e2aa401a2e6cbb3b06d9d14ef52

C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe

MD5 3b0692d30cf8e27e48ac948567e25901
SHA1 eab944d4e11395900bb5903b2f314f68eb042fa5
SHA256 953aec2aa5a608b0573e39e1238cb5ff0b129c2f98c6dfb92bdc6037891cc1aa
SHA512 acfdf81e15e9789f74d81419a341e210db5ef6f1ab427fdfded8147f39777183bbc51f6536b535be0e320b522f847d16f537afdf17bdae95631e83c40fc4c05a

memory/2484-22-0x0000000074AA0000-0x000000007504B000-memory.dmp

memory/2608-24-0x0000000000A20000-0x0000000000A60000-memory.dmp

memory/2608-25-0x0000000074AA0000-0x000000007504B000-memory.dmp

memory/2608-23-0x0000000074AA0000-0x000000007504B000-memory.dmp

memory/2608-27-0x0000000000A20000-0x0000000000A60000-memory.dmp

memory/2608-28-0x0000000074AA0000-0x000000007504B000-memory.dmp

memory/2608-29-0x0000000000A20000-0x0000000000A60000-memory.dmp

memory/2608-30-0x0000000000A20000-0x0000000000A60000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 01:59

Reported

2024-04-11 02:01

Platform

win10v2004-20240226-en

Max time kernel

162s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 352 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 352 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 352 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4208 wrote to memory of 5016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4208 wrote to memory of 5016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4208 wrote to memory of 5016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 352 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe
PID 352 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe
PID 352 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe

"C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vg1yvvsj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8ED2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A6EA494B1EF4BD2AF2CEAD19F5C3FF.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp

Files

memory/352-0-0x00000000746A0000-0x0000000074C51000-memory.dmp

memory/352-1-0x00000000746A0000-0x0000000074C51000-memory.dmp

memory/352-2-0x0000000001170000-0x0000000001180000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vg1yvvsj.cmdline

MD5 08b7fe54e9389047597883029ea4fdff
SHA1 3fb6f2d6d25c8383c72bae9681745609a288c6c9
SHA256 a28adf5bb8eee33c3c4ac535ce4dc6229ab4e8a34c9cd8baa11e8a3382ef0cf0
SHA512 dfeee00e38b4260b44770b1b762cf79e7d74633d55c3d99750dac886f98ede0bb4d4f1e992b6c7a6b83e57d28847479acb2fdf8bb03441ab44bedda53e57a2ab

memory/4208-8-0x0000000002680000-0x0000000002690000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vg1yvvsj.0.vb

MD5 fde5a90b2433dceaa9edbfdd46b6ccda
SHA1 67d0021f9cf96356195174015952c8df65523a59
SHA256 e3af64e7c555ee610ed84d2ddb1f8fd4dc43e2b283aae03e757972b8bb50199c
SHA512 0bed78d9e0f4c221218c4074cde619f92820c5628e114d78d0c68f9b87e141971c94f74539a899272af1fc0dd36ed9b94bdeb7c8c4c1bc563707f9c63f6526d9

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc1A6EA494B1EF4BD2AF2CEAD19F5C3FF.TMP

MD5 934d30669ceb83f23a9cc0328ba47fa3
SHA1 5e933aa042721a1907a24c8d74aec959289787ba
SHA256 4aae529bbbf1883af235fe875e63104075387bfd4a884b59db649fb19c11d36a
SHA512 5e7147b6a17cffae4cd0388f766250e8bebb9510984098edae3091d683035412fc33b7564373e7d6b157f254faa362281ef64cd6265b53c087f6b4dddc818fde

C:\Users\Admin\AppData\Local\Temp\RES8ED2.tmp

MD5 389a87e9619e7736acf195a1cb05721e
SHA1 e353db6f515464df804d0283cdb7e0204b7ad38f
SHA256 522cd729c9db23474edcd8f92dd81b6267847ef26893f9903964c7fc89d9e727
SHA512 5e259f3c488eee6d2c26ff26c4e3961ff9faa10220f0e42a483dfdc73f99e57a4dd216c8dc31536b804a5873bc09c2025d8eb3207201611cc84d3d52debc1c79

C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe

MD5 d12cc6665e949ba38b2d9540e5729519
SHA1 b82135a42d712e80d7369fc6275a488c087485b6
SHA256 5de6274f049206c3456f9c3ddc1f017aa77f4ef444110eea9341c762daa16220
SHA512 2f794fce27bd63d3c205614ee72ecb8b4dff6894c3132b9888c6e72e5790c6e056bf72fbc8e9438eb64553ddada44531e1f4b0ec3d714277d28861cf8dcd3774

memory/352-21-0x00000000746A0000-0x0000000074C51000-memory.dmp

memory/1544-22-0x00000000746A0000-0x0000000074C51000-memory.dmp

memory/1544-23-0x0000000000910000-0x0000000000920000-memory.dmp

memory/1544-24-0x00000000746A0000-0x0000000074C51000-memory.dmp

memory/1544-26-0x0000000000910000-0x0000000000920000-memory.dmp

memory/1544-27-0x00000000746A0000-0x0000000074C51000-memory.dmp

memory/1544-28-0x0000000000910000-0x0000000000920000-memory.dmp

memory/1544-29-0x0000000000910000-0x0000000000920000-memory.dmp