Malware Analysis Report

2024-11-16 13:11

Sample ID 240411-x46a5sag32
Target 22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c
SHA256 22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c

Threat Level: Known bad

The file 22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Deletes itself

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 19:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 19:25

Reported

2024-04-11 19:28

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2AD8.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2AD8.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp2AD8.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp2AD8.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2056 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2056 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2056 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1336 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1336 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1336 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1336 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2056 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe C:\Users\Admin\AppData\Local\Temp\tmp2AD8.tmp.exe
PID 2056 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe C:\Users\Admin\AppData\Local\Temp\tmp2AD8.tmp.exe
PID 2056 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe C:\Users\Admin\AppData\Local\Temp\tmp2AD8.tmp.exe
PID 2056 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe C:\Users\Admin\AppData\Local\Temp\tmp2AD8.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe

"C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_ocr4txc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B75.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B74.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp2AD8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2AD8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2056-0-0x00000000746E0000-0x0000000074C8B000-memory.dmp

memory/2056-1-0x00000000746E0000-0x0000000074C8B000-memory.dmp

memory/2056-2-0x00000000000F0000-0x0000000000130000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ocr4txc.cmdline

MD5 554a80a32b5aabb62deb3c3647cb56f2
SHA1 1557a54698a9cee9459357a2d4d6b72d206f4b45
SHA256 5a09c46fcb23d9ab866f9a3cec38ce2a3694d29997a8c7d42ad06008063eae80
SHA512 98aaf1ab80121aba676546a76ee2c1bc494e627bca44326e5fb83f1dd10b825bef330c4282c26f09f0b5a1961b50e414b802abfb110b10658b12a4603392a5c8

memory/1336-8-0x00000000020E0000-0x0000000002120000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ocr4txc.0.vb

MD5 41813e55c20c3cb74394733a56b067aa
SHA1 38b3eab13e73ce89db3bd670818ba76d1bf57522
SHA256 b543a48fcf3419292e6b3848e29b993165ddd1f877f34ebf0f651485fe8ec7ef
SHA512 53db0331f917471299f42777c1d253d3d2c5ab79d34738a828a8498ec376c18bad8e88a979832efdf5322d148beb7d1d658aab7af88a2db73d051a62df5fb3e4

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc2B74.tmp

MD5 d88cfa5b36a1c40bb6c57b0cdf6302fb
SHA1 1dc3dacadfc565494556d9a816999068b0565c66
SHA256 f4f9ecbab18ed96b8c56535708423edecb50915bd7e22da316d34b4ae13bf077
SHA512 148f5c7aa5a0a6b05479ab24dd333fb17490251806fc49349c97d733393f45d7a25fa73d4e846e0d281c3b49c2f0fe2be8c905f1aa46b647df8d29ea321015cb

C:\Users\Admin\AppData\Local\Temp\tmp2AD8.tmp.exe

MD5 a5abc4b871c5574a3528702e2b59cd93
SHA1 5ea867aa74d2a1eb75c7a0d17d64904f87700c6e
SHA256 953851df9f6ca9a89865a17374df2e1f43f6351bdc84888e9f7dcf54ab45a616
SHA512 45ee485ba8ea6344e038df552303f8d8a37e304f2113cce5df178d42157c683a89c931c90c09e20bd696f4a0d69f979c6725495189914a9375e2f0348275280b

C:\Users\Admin\AppData\Local\Temp\RES2B75.tmp

MD5 7e83429dc3c590940b571fb209bdfee8
SHA1 d17792773d6540caebbe23586385001e7c8e01d6
SHA256 72f3d40d9d4cee307db21cce42249cdef880f1697db00415ab53c18ba1241d19
SHA512 aed75048f9638b79e82c9df33ec965987e8abd8d1fdcd74629ae230c6e74975d077480505a3d457a7c62d9f95b9c8768578db14e2a11196812a44044ff5badef

memory/2600-25-0x00000000001E0000-0x0000000000220000-memory.dmp

memory/2600-24-0x00000000746E0000-0x0000000074C8B000-memory.dmp

memory/2056-23-0x00000000746E0000-0x0000000074C8B000-memory.dmp

memory/2600-26-0x00000000746E0000-0x0000000074C8B000-memory.dmp

memory/2600-28-0x00000000001E0000-0x0000000000220000-memory.dmp

memory/2600-29-0x00000000746E0000-0x0000000074C8B000-memory.dmp

memory/2600-30-0x00000000001E0000-0x0000000000220000-memory.dmp

memory/2600-31-0x00000000001E0000-0x0000000000220000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 19:25

Reported

2024-04-11 19:28

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp52E3.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp52E3.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp52E3.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5056 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5056 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5056 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3176 wrote to memory of 3444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3176 wrote to memory of 3444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3176 wrote to memory of 3444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5056 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe C:\Users\Admin\AppData\Local\Temp\tmp52E3.tmp.exe
PID 5056 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe C:\Users\Admin\AppData\Local\Temp\tmp52E3.tmp.exe
PID 5056 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe C:\Users\Admin\AppData\Local\Temp\tmp52E3.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe

"C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rliybowq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES539E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF4835260863241B9A3922DB35D12DD8C.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp52E3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp52E3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\22ec0c56e01121c8a3a0572815419593fab41ee1ec440b41c34e5476d588059c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 tcp

Files

memory/5056-0-0x0000000075080000-0x0000000075631000-memory.dmp

memory/5056-1-0x0000000075080000-0x0000000075631000-memory.dmp

memory/5056-2-0x0000000000F60000-0x0000000000F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rliybowq.cmdline

MD5 975b2277f0e7e02bcafc86ecb88ae869
SHA1 9d000c16c107799b7e34392f47ec310a701ea21c
SHA256 c4da87f8ba12f0f7f2ad956b86fdf6796ccd33757da1bd42c217a2cdbc4af06c
SHA512 84e3fdf92f78190c0b92feea9b402a48a0c4adce7b02151781b336b530c75b9e072d0f73c05a7c22d4d2eebeb2f0c74508a1f2ca0c9adcff27e3a38719a93e50

C:\Users\Admin\AppData\Local\Temp\rliybowq.0.vb

MD5 438b8e82bd2448a893fbedc11bb2be18
SHA1 8501b0c65aa6cefc33928387de9ac5e37fe49060
SHA256 81a54dc8b7682f602ccffdf2c5bb683fc1ebeebe038d77e36ec920c5a33d4575
SHA512 a36b4fbadc032f9e2070270a5183be35043e47c17ab0e458bd067bb676da0e6089bdfba6d660cb84be400c608d9723a4409834bd8df19e4030ca5e73c4e44e01

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcF4835260863241B9A3922DB35D12DD8C.TMP

MD5 f9758c5c5819c437bee50c313e6fbe08
SHA1 5b2132cfec35e02b348130ec7bc6f2a4fc8bebdb
SHA256 bfd309584be8a28aa573047f50dd6555437fa18749ece6a17bdabf3c36dd94f2
SHA512 70e0861c3ec0473bebd17f3b77c042c359efe488d39da5e1c092e30a4c39a97780304ae960f782392ce635c6e46de944d711a84c90a1e2c516ce216bf4264808

C:\Users\Admin\AppData\Local\Temp\RES539E.tmp

MD5 31ffff813a25b83fd3dec50ee6ffab71
SHA1 a606d196125d945cde41035ea20143673d0d45eb
SHA256 4fb7d3daf87ac94110d5181f4579a22dbdd43b8792743a0230151a92454b7b4b
SHA512 fb9fcbb7df850e1f3bcf0734063126caf1f05084a25ed93c8fb28406d575cc1deb9bf77fb00f31106ad78214c388d82c3250a3fae9ca789c4062a1a4add89a0b

C:\Users\Admin\AppData\Local\Temp\tmp52E3.tmp.exe

MD5 3d21acfcf1c590f04c651b5d96b496e5
SHA1 9bde73f319fcf046c336680878a5585c5bf83a40
SHA256 7a559b84c65f0883886a0c94cea04449d58df5bb0c53a082d80011d9a61b96fc
SHA512 39982870f50ac7c274ae0c3dc19b129bc72835b8d15135ff0660d34144d2ada7333128e5b6af79654a447bf192b1b5cb9c5d231e690132e9b85c0b6b71977c2c

memory/2568-21-0x0000000075080000-0x0000000075631000-memory.dmp

memory/2568-22-0x0000000001220000-0x0000000001230000-memory.dmp

memory/5056-20-0x0000000075080000-0x0000000075631000-memory.dmp

memory/2568-23-0x0000000075080000-0x0000000075631000-memory.dmp

memory/2568-25-0x0000000001220000-0x0000000001230000-memory.dmp

memory/2568-26-0x0000000075080000-0x0000000075631000-memory.dmp

memory/2568-27-0x0000000001220000-0x0000000001230000-memory.dmp

memory/2568-28-0x0000000001220000-0x0000000001230000-memory.dmp