Malware Analysis Report

2024-11-15 06:07

Sample ID 240407-x226psce44
Target 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd
SHA256 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd
Tags
persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd

Threat Level: Known bad

The file 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd was found to be: Known bad.

Malicious Activity Summary

persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Deletes itself

Loads dropped DLL

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:21

Reported

2024-04-07 19:24

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2512 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2512 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2512 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1320 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1320 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1320 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1320 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2512 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe
PID 2512 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe
PID 2512 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe
PID 2512 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe

"C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t8v6dbhs.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD99.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD88.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2512-0-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/2512-1-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/2512-2-0x0000000001EE0000-0x0000000001F20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\t8v6dbhs.cmdline

MD5 e8640abadb0cb8455c4b7bf95c5e5b16
SHA1 d0d6e74af394eeb91b083e0f20d07bd265e07cdf
SHA256 b74dfc71636439e793c2fd52dcee2a9f3df8edd5fac2156d6bc1dff45449d9e2
SHA512 9b80b79ffc9e60dc29827f2285bc4492428050b1fea86137b667d28798029d6aebedd328194b4d0524760717938132adf04545d8bb6e55f2c453ca0cf07f5442

C:\Users\Admin\AppData\Local\Temp\t8v6dbhs.0.vb

MD5 b36128e431979e8a1424fdb926e0b8d9
SHA1 002600b66643f0dd41e1dd3a0d9ba301838ced66
SHA256 c062b72d38097b3c9feaf248f3d5998406830b6cd284d8710f020614463abf4b
SHA512 3162a27e2f1ea8daaee0850d05226c524ad32c879d72c3fb84334c222fcc01c7adaa16dbc459d14aab9cc33ec53d369b6a6001b81e9cd0b40b56f119e97be585

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcD88.tmp

MD5 5283ce8a47c4454a76e1b82de2659e4d
SHA1 d56de127e55ea3562a132783b1c3566ce77dfb23
SHA256 fd1871e35e4d14c0eb4d4809b3d600538ca5e8041275f2ace98265d92f7ba4b9
SHA512 143888465906427a868df196990b4646ccc4bbcd71fc1e6d349f865e967c96ba4b9e0b50c722530f2d9669e8f25b33fac0a657d658e3fd2c04498939526dcfe2

C:\Users\Admin\AppData\Local\Temp\RESD99.tmp

MD5 8a82b5c613f4d536d8892c7b59cc2a4b
SHA1 04b9afd567731a192c4c1e7012fa37a39271cfe9
SHA256 6326889209f179edc4ab7127b66d734b2dae6104d3a3f4ccb3ec3be575be575c
SHA512 d75f11577a77baa41ce7b64331e439a390aa5d0deaac0ad4cf6dd8808db2fd6f3e1e4e659ef68a52f211791a27389a8cbecc0b380f2d6eeac866275342861513

C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe

MD5 2f80f9bb07be63199692e00ba35c4eb5
SHA1 9b6518b4948f9918ec36676835d57af5487a8aae
SHA256 b7be93899a31badbd6c325ef24b4d261cd3a2128e8d6c48146e9192b69c0f36c
SHA512 5a8307dea52134e196b875fa56764e50e0bcc126eafff8cc36e85bcac64fe5aee7f22306f44735f6843ccb83b024dd318095b55feced35e92e17c7da844cc6f6

memory/2512-22-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/2636-23-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/2636-24-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/2636-25-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/2636-27-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/2636-28-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/2636-29-0x00000000002E0000-0x0000000000320000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:21

Reported

2024-04-07 19:24

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3576 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3576 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3576 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1472 wrote to memory of 4852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1472 wrote to memory of 4852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1472 wrote to memory of 4852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3576 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe
PID 3576 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe
PID 3576 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe

"C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oevv2rjk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C97F8D52E904A318B5029819EB7D1A2.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe" C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/3576-0-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/3576-1-0x0000000001310000-0x0000000001320000-memory.dmp

memory/3576-2-0x00000000749F0000-0x0000000074FA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oevv2rjk.cmdline

MD5 ffe6436382eb096e43558860cd454345
SHA1 7318ce46ce3eb6a29504c35ee746c80a824851b1
SHA256 5a1e933bc728242d668878e6ecb62ed53754e8c40a5d81fc20f6cbb2ba056c72
SHA512 92ff79b101303914a6932f00064e241994dbddbd78009a2b9ad25e568444fe4c1233cf710cac0f0b1f8431128104bec95551a74edfa6f9eee8ce0ae23d56d358

memory/1472-8-0x0000000002580000-0x0000000002590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oevv2rjk.0.vb

MD5 189b276bd04907658d464c11d12aac86
SHA1 600ff2300c4d5224516518ac45b46e09dd2d6486
SHA256 a26cd768c78c350ec16895e13c9e18861c293fb5f4beb96596e68b01453e4b77
SHA512 a0a0b769b04d9a83c086fb802de4519e1efad0755804a3805cd8456f0664bca9271cf456fa5a6f2c1dc5efbfbe9378e9b9db3852b0157a4ed822ef0d80d37e01

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc8C97F8D52E904A318B5029819EB7D1A2.TMP

MD5 6a045b5f4029ca0a0973f325e2bbf88d
SHA1 827547ff4d6b2280d06d909309a0006f6e4752ff
SHA256 2d133f003eaac9da81fcd992e529a44f8684a423c2f24c799749940d51a22047
SHA512 d66722ccf9bac1c4d0fa8e2f13bd382c3db7b808fa4b200bc80c426357f9c4377999718bfd4ef7b4bf00fb4750d04add8d4008d1b73074cb9300431a6720c663

C:\Users\Admin\AppData\Local\Temp\RES7E86.tmp

MD5 d98eb291b58e2bc633418dd761634de1
SHA1 0dbcc6bf863045069f3044d2f27dfca1a222face
SHA256 7755a8f04b852efcb76a8db8c9172a99f4ed8d378ff48f2d5abd6fffa56bf1d7
SHA512 e45574ed71b120c1ae1d758e00e5f2a6f4c992fa2e135d36ed156397f92e1c3e44e10891d821fa58e3883aace6b9bd13adc768ff700d3cccd97515885e60714c

C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe

MD5 b371e62e0008d7160b190f70573cec52
SHA1 ac59332bca5f3516787a07d3ff4615a39aac7c14
SHA256 c88bbf72880c9766e3ce87f7eaf3418a89507e687ac5e5c9294553e5c23c56f3
SHA512 b41b68146557d2a70d1cf840262113a65e1abe00076bee2bf151a0723fcac752644e994f48b9e2d0d5fd6573ada55ca63d566d5139df0a5c186e174193db8872

memory/3576-21-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/3920-22-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/3920-23-0x0000000001650000-0x0000000001660000-memory.dmp

memory/3920-24-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/3920-26-0x0000000001650000-0x0000000001660000-memory.dmp

memory/3920-27-0x00000000749F0000-0x0000000074FA1000-memory.dmp

memory/3920-28-0x0000000001650000-0x0000000001660000-memory.dmp

memory/3920-29-0x0000000001650000-0x0000000001660000-memory.dmp