Malware Analysis Report

2024-11-16 13:11

Sample ID 240411-dbdkwade3w
Target cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154
SHA256 cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154

Threat Level: Known bad

The file cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Uses the VBS compiler for execution

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 02:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 02:49

Reported

2024-04-11 02:52

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2504 wrote to memory of 2644 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2504 wrote to memory of 2644 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2504 wrote to memory of 2644 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2504 wrote to memory of 2644 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2332 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe
PID 2332 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe
PID 2332 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe
PID 2332 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe

"C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9ddfn5pu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54A5.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2332-0-0x00000000741E0000-0x000000007478B000-memory.dmp

memory/2332-1-0x00000000741E0000-0x000000007478B000-memory.dmp

memory/2332-2-0x0000000000230000-0x0000000000270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9ddfn5pu.cmdline

MD5 698ec1e4144ae283b03d445864955e29
SHA1 700b9faf70ee75fd2ef2fd33d0f49a6dda6b9f4b
SHA256 605e2f9400034ac9816e6490172c4e72ccdb18fbeaba07ecfbcc930fa02897b4
SHA512 6ce2bb0fe1a92e4417d4cf42b0bdfcb141d5e01df4b9775f682f9dcd100e778c0679579a947e8e037638bf50d385ba94f3c87679e128b92f587e38cbc2e221a1

C:\Users\Admin\AppData\Local\Temp\9ddfn5pu.0.vb

MD5 4ee33b7b7ecf0604aee8992b919826c2
SHA1 42928cc8e0998e9f52767ca5e5dcb79376575d7b
SHA256 f815b92bc1467bc94166752505702a12b6082fc5ac3c5eb542137f1962eaadb9
SHA512 71788d515d22e3c4befb8b22638333620090637793ca2ed5842315855db8bd0384f0db7a0a5772e83b22c8a379f68207fa036b6696c26c1a8dd608c6e34ba957

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc54A5.tmp

MD5 8a73fa1320be75170e7d89438992c0b3
SHA1 e9151193e15fe48dd85e06de95ae2c46dd68ace8
SHA256 d2f9f2e00b93d46b0af8ce2294a7dd541b414effbaec98d4b586a262409f169a
SHA512 da6d5fa92d1312311342c7402aa78cef4a5affcc402d77b34a860c0cc9ada948ee0a90ab90c0d4703053e61a2da37a6b3cc88be3efe46f10981c4609247df84c

C:\Users\Admin\AppData\Local\Temp\RES54B6.tmp

MD5 01311a04c58d199f85e136206468fa3b
SHA1 c92840e7683c7e398440822c1e384eb4091aa7b7
SHA256 fe2652c4877771d7ba1ccde87b1beec888c7f00be5340fd7c0af0f8195e4ba3b
SHA512 a993300940ac5896f9b85d5d96a5282a21250761311d3d28a0f07e673d99dc16c372b4a3ad160cffa981f22b0f1982802c1ffa7be5e30becc08d8fee8eeeec79

C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe

MD5 a699fc5a57e52751d4353f25085c078b
SHA1 40a2ca7ff32a6c8556b6938ad4d1dc1ea81680de
SHA256 be937497f57f75aa1b49c245850bd51bc32b66fbf6736617aab6ffbcfbe50b51
SHA512 20fb28ec5500ce9d7e6eab3415162c7594ef7fc4c1ba603dd02c65b2bce7b4ab1eb3de125f40053f6633e4eb939d384e1ef9e83760ff9a65069df5e2cba5117b

memory/2332-22-0x00000000741E0000-0x000000007478B000-memory.dmp

memory/2564-23-0x00000000741E0000-0x000000007478B000-memory.dmp

memory/2564-24-0x0000000000920000-0x0000000000960000-memory.dmp

memory/2564-25-0x00000000741E0000-0x000000007478B000-memory.dmp

memory/2564-27-0x0000000000920000-0x0000000000960000-memory.dmp

memory/2564-28-0x00000000741E0000-0x000000007478B000-memory.dmp

memory/2564-29-0x0000000000920000-0x0000000000960000-memory.dmp

memory/2564-30-0x0000000000920000-0x0000000000960000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 02:49

Reported

2024-04-11 02:52

Platform

win10v2004-20240226-en

Max time kernel

162s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA568.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpA568.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpA568.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1936 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1936 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3704 wrote to memory of 4016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3704 wrote to memory of 4016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3704 wrote to memory of 4016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1936 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe C:\Users\Admin\AppData\Local\Temp\tmpA568.tmp.exe
PID 1936 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe C:\Users\Admin\AppData\Local\Temp\tmpA568.tmp.exe
PID 1936 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe C:\Users\Admin\AppData\Local\Temp\tmpA568.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe

"C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0pwut-ki.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDD807EE983C349BAA544F0D7AD259972.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpA568.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA568.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 tcp

Files

memory/1936-0-0x0000000075070000-0x0000000075621000-memory.dmp

memory/1936-2-0x0000000001320000-0x0000000001330000-memory.dmp

memory/1936-1-0x0000000075070000-0x0000000075621000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0pwut-ki.cmdline

MD5 d2c3591c3002e7ac6018077ab9c20fab
SHA1 948a350383600bbefe79eb04351b43c48dbd0d28
SHA256 8060ebab04a74d1bb5c195c51cdfb7d767dbe96acf12c0997dcfd671bc97cf71
SHA512 872be4a70632251c1fc256350d2bf8f5a0669960f36de3866ad8e1692d6ef395561422f87bc64e0b6a35bf634a058db5882c476e45221c7d109d98f770b0c4e9

memory/3704-8-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0pwut-ki.0.vb

MD5 3267da79df5c027afed00cb142972936
SHA1 71557b61bee553ed1888eb0bb5e10e24c7394e8e
SHA256 a474209b2877ae473c2640b199cfbad1f2512633e1ced3fa255ddde1d12b4cc6
SHA512 0bb54a5da9b8e9f1cd95475749db6ba63f8740dc53d7915fa7a0481e9309b1b4270235e93e2a3fae155dd7064f85086d56043eba51ed89194ea98b1134e4820a

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcDD807EE983C349BAA544F0D7AD259972.TMP

MD5 f3d1ceddd6d405ffa87d093f8a3e500f
SHA1 2d71d6d369697266ced8ba3c2045863b4cdbc0c9
SHA256 836fe9019fe53fff0d87598c3a909fa7974a7388b3fb1108b167e9238994b911
SHA512 ee57f2392c48d8c2a56e5ec024f0c87fafea380ffcb556ab799348a8cb2fefe28600fc6d95751633e52c480eb0d06028561572e8542a3fb473650db1576918dd

C:\Users\Admin\AppData\Local\Temp\RESA6FE.tmp

MD5 0633e2710848fa0e6ed3e9f91db13df4
SHA1 62725f80b52aab9d357d980ef41c163a55a44074
SHA256 ff7b1a4dedf28084b32201bfd36b3296e5bc1aedfda4245ec677d6c1710fb471
SHA512 3c63f6f5eb13bbe9329306040836b4ddd09519af6df2b9740413b5c2775f32427af22a5800b36727bfc2d39ed48e7b1770cace6a174d401be60b8f4f3ff150d4

C:\Users\Admin\AppData\Local\Temp\tmpA568.tmp.exe

MD5 6f2c9c65319553141b755cd740f6df22
SHA1 989979383eb3047b09ccd0e11cb374b51263e198
SHA256 8439f953d141e43ee0da23f85d05a6619bd119a369aab29d9b677935d18bda3d
SHA512 9235f9325c4e493eaca3142c7fe3c5d20e4deb2e07f387fa82696187595d06e0625dfa089cc0a688701f1d2e34279180fef686f88c815551751ddd7b40075618

memory/4116-21-0x0000000075070000-0x0000000075621000-memory.dmp

memory/4116-22-0x00000000016D0000-0x00000000016E0000-memory.dmp

memory/1936-23-0x0000000075070000-0x0000000075621000-memory.dmp

memory/4116-25-0x00000000016D0000-0x00000000016E0000-memory.dmp

memory/4116-26-0x0000000075070000-0x0000000075621000-memory.dmp

memory/4116-27-0x00000000016D0000-0x00000000016E0000-memory.dmp

memory/4116-28-0x00000000016D0000-0x00000000016E0000-memory.dmp