Malware Analysis Report

2024-11-16 13:11

Sample ID 240409-2z8ypabh9x
Target 9476db24b4866fd59c47754105197e06
SHA256 2bdd29d7541586a2d348d80278e62127b05e6aa09862f9951ae68a4eb398e96b
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2bdd29d7541586a2d348d80278e62127b05e6aa09862f9951ae68a4eb398e96b

Threat Level: Known bad

The file 9476db24b4866fd59c47754105197e06 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 23:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 23:02

Reported

2024-04-09 23:14

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1584.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp1584.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1584.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2796 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2796 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2796 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1756 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1756 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1756 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1756 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2796 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe C:\Users\Admin\AppData\Local\Temp\tmp1584.tmp.exe
PID 2796 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe C:\Users\Admin\AppData\Local\Temp\tmp1584.tmp.exe
PID 2796 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe C:\Users\Admin\AppData\Local\Temp\tmp1584.tmp.exe
PID 2796 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe C:\Users\Admin\AppData\Local\Temp\tmp1584.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe

"C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3o4xvyh3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1621.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1620.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp1584.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1584.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2796-0-0x00000000744A0000-0x0000000074A4B000-memory.dmp

memory/2796-1-0x0000000002080000-0x00000000020C0000-memory.dmp

memory/2796-2-0x00000000744A0000-0x0000000074A4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3o4xvyh3.cmdline

MD5 f59430da640001657311aa9c211f0c3e
SHA1 452644d690e29c7902ec1ba16232ffc38f2732b9
SHA256 f3e23e0a1584bfeacab4ec36fb8f9ef345d20db5b9904a523d9742b4e5f78735
SHA512 8f9ed6ab74cba74b757f8040294ce901e5a3cdea5f468620341c54b5e3ec2209bba64f814b2720f438be21a6763d2c6d2d7473fc58cbb97fde92f1e6948f1a69

memory/1756-8-0x00000000021B0000-0x00000000021F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3o4xvyh3.0.vb

MD5 0e4f501046e974833f41b9a89ee3b2ef
SHA1 555fdec30a570f5a88a256c36525d0938f40ad04
SHA256 3c8a92be6dbf99b2931c71d0f0934dac6d1bf2a62f3a0b5eea2d212d21b1fd1c
SHA512 cfef799f788f9b8d4f33d54eb9e5f592a598e471820624f9ed66dc79b52afafdbc1c97158967cb1c7ce0662f29486381c15bf72709c198015f0e613e282ea4cb

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc1620.tmp

MD5 351d687cf1c79045b1c4b77550ed16fa
SHA1 348bac2e0445483a3dd038a932de588649a4d60e
SHA256 db400ae73a40be39cf746c6e0d9d796659fb5de878c12313ade2895ca30ba803
SHA512 a247241d4d3ff3d627baf0e324b3e49115e5b876706e5ec0deeeab5eb1ba342093ae11bf5ea77c3f78f61bcff4386337ba010f6c847e321259f137216bbd4c05

C:\Users\Admin\AppData\Local\Temp\RES1621.tmp

MD5 25c10097190dc97569d0a08a81ae2a6a
SHA1 a5d2db6a2616f542ed2c012fa571b13b81a782cd
SHA256 aff1e1a3d975ba7be4c06791e4bbb7784f39f302e7da1ea10932dbba1ab34633
SHA512 81f74239c97dcc45f60bd0d80387a0cd8e2a5f850513c20877626b77764ed68bea4516de1effbb78de4d579e7d56decfe4f015bada3d00489f73ac44915d1711

C:\Users\Admin\AppData\Local\Temp\tmp1584.tmp.exe

MD5 499a947be730d24f0cbdad9d1d29422d
SHA1 3cf7f7c747f2c5e0181a069c674f57c527a64486
SHA256 105a7ff5dc4d1e68f81a3c9a167a11e92d3a2a158e14ba6f39f39bb46a514e60
SHA512 26889526717d4cf1cb81382dd9aeabcd77cada8065134c11fe5724f520de35d6902dc331a449c640d2920ca7610db6d8fdab3441c94a611c458b1de8e14e7316

memory/2796-23-0x00000000744A0000-0x0000000074A4B000-memory.dmp

memory/2652-26-0x00000000744A0000-0x0000000074A4B000-memory.dmp

memory/2652-25-0x00000000006E0000-0x0000000000720000-memory.dmp

memory/2652-24-0x00000000744A0000-0x0000000074A4B000-memory.dmp

memory/2652-28-0x00000000006E0000-0x0000000000720000-memory.dmp

memory/2652-29-0x00000000744A0000-0x0000000074A4B000-memory.dmp

memory/2652-30-0x00000000006E0000-0x0000000000720000-memory.dmp

memory/2652-31-0x00000000006E0000-0x0000000000720000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 23:02

Reported

2024-04-09 23:14

Platform

win10v2004-20240319-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp830B.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp830B.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp830B.tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe

"C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ohhzmh_a.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8628.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc88D0C6AD583A49BC8DE93F9E52928FC.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp830B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp830B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9476db24b4866fd59c47754105197e06.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1384 --field-trial-handle=2232,i,10468259530860544675,2192522633371581869,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2696-0-0x0000000074E00000-0x00000000753B1000-memory.dmp

memory/2696-1-0x0000000074E00000-0x00000000753B1000-memory.dmp

memory/2696-2-0x0000000000E70000-0x0000000000E80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ohhzmh_a.cmdline

MD5 fc87cb85296d9039525cce038508b04c
SHA1 62ebb4861063edddddf6d4a7c20b23f2eb4ecf6e
SHA256 03ea0e1ca7e61a5627fb892eb873ebf674bc80d917a583270414af0a75d26adf
SHA512 3c16cd456fa3f6a513a0fe0f2c0d6881c4623335407be8ab67b98e3c195eed6d0306c4a5facb5fbcf609673070a37e29e101a6f5519eb50276694f3e24e4585c

memory/2972-8-0x0000000002470000-0x0000000002480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ohhzmh_a.0.vb

MD5 7b8949e601df25eeaed92b3f2f93ff46
SHA1 c5c300fc0edb93d0d963552f1fdfd5bc0437838d
SHA256 d41f2cdaae00f917e7d9217eda383259175761380ce9c25a3cb87fdc17169b18
SHA512 59ecb8e13c82978fa96b3ed001cbbe4de22c72bfa950f879983f27edc63da3446165efe2d9c105e6ee2782759e61bf5d22e50a819d21fc2b4411847e8cafe6b8

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc88D0C6AD583A49BC8DE93F9E52928FC.TMP

MD5 8b099e02285456db2a4a89499e3a972f
SHA1 e5cfad33fa03a91e7bd96040f4d4837ece2fc419
SHA256 38392f7e6a3dcf3f1c0df308a18ad19f8dc15c8d46dd783a2939db7d8304cfaa
SHA512 ab4c774988badf9a43a659999b201807f3d73b91e1a3d49ad480b5ae5bccf96d1c6570eb0ed90763695dac6e9c7397eeca9a1a76c2a767a31258e5a7dd16dcdf

C:\Users\Admin\AppData\Local\Temp\RES8628.tmp

MD5 e7e57accfc028b0fd95e733f404e2a2e
SHA1 9f4b8167d10397ae38221c88e049823fd8699c4e
SHA256 90c9c3d38d65c773b5d59d956feb1872de1614f29f388de78cab16320be4f19e
SHA512 9caa23e5c60c61e4cbe2d9558114dac33115e29691a790f4235c6d680a8bb2cbbac59a18e47d0cc921149bf2ca78d21696c878ed3e1b8c4e084e43f5874de02f

C:\Users\Admin\AppData\Local\Temp\tmp830B.tmp.exe

MD5 376f2a21c63c211d066b12331e5e4d98
SHA1 8b1591b927bc15dda09e2864a0264634c34c5782
SHA256 fe68c2b0b42921741089fb8bb7a9de1fba8cdb4dbc4be2838e475b2d6f2ec75a
SHA512 4e26bc8f41e76e6e3fdbe76c8073f90d832dff9958d72d7a75a0e22f72a56a9bdacefee39cf6a9a5c59760d72954ef05df5a082f9d5282439b292a8531451a52

memory/2100-21-0x0000000074E00000-0x00000000753B1000-memory.dmp

memory/2696-22-0x0000000074E00000-0x00000000753B1000-memory.dmp

memory/2100-23-0x00000000016D0000-0x00000000016E0000-memory.dmp

memory/2100-24-0x0000000074E00000-0x00000000753B1000-memory.dmp

memory/2100-26-0x00000000016D0000-0x00000000016E0000-memory.dmp

memory/2100-27-0x0000000074E00000-0x00000000753B1000-memory.dmp

memory/2100-28-0x00000000016D0000-0x00000000016E0000-memory.dmp

memory/2100-29-0x00000000016D0000-0x00000000016E0000-memory.dmp