Analysis Overview
SHA256
8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8
Threat Level: Known bad
The file 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:12
Reported
2024-04-07 23:14
Platform
win7-20240221-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe
"C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ev99sy1m.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc22CC.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2408-2-0x0000000000330000-0x0000000000370000-memory.dmp
memory/2408-1-0x0000000074090000-0x000000007463B000-memory.dmp
memory/2408-0-0x0000000074090000-0x000000007463B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ev99sy1m.cmdline
| MD5 | 1b268439b1d981f7e37c2b2e6d7aeb20 |
| SHA1 | 7d2a9afdab429e53904b9ab3245a63215116fd09 |
| SHA256 | 4c3f77311a634f6744ac23bca956e500ac9c6091b6b7914a09abb5a33bf063ed |
| SHA512 | 5a5dd8b45753481791a1ed760b150163639a4970e3723e47bcc9366df8214bed41ecd131d09618ea387521dc3a7937959bbb560f7d33dec5004d88127627c0da |
C:\Users\Admin\AppData\Local\Temp\ev99sy1m.0.vb
| MD5 | 3fb38591e1c58ebc526127f99a8ae7d7 |
| SHA1 | b4eaa99c60e689ae7061b295c6d9726887af4663 |
| SHA256 | 9f35fbf5f20e431288398b83c4664c116f3207c4e65e3a0a2eef947cbdc90a93 |
| SHA512 | 8af413e8588e3af88ae17214f154a623fd0afb3c2b9509051a5139ae1b91b3c0c72b33088eeaf255b1fee3d0f4126972082fe10fc93204509fc90e1f0656bcf9 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe
| MD5 | 8bb2caa71e4ba40ea49268915667f8ca |
| SHA1 | dbbf8ce0c2a78fe73c63e962ea877a99cb98cea1 |
| SHA256 | bcee7f683ab73b8af96062956386df5f8212368be00d7e6e58b911604cf31fb4 |
| SHA512 | a405606f16ec350a8eef533b1181ebca6f30d6498db3d42e86428d68c1378935f715e094351e0157f50e1d5e88b22b96febe51b7b0b84307408be57aafe94620 |
C:\Users\Admin\AppData\Local\Temp\RES22CD.tmp
| MD5 | bacaf2e0f018d73fe94ef853ad01fa46 |
| SHA1 | ac3e2ad14f0ca3f05443424242afc38b9ed06b0c |
| SHA256 | ed46be4a2686a6e375bad2b771bdab97ba55913c4dfd5daf9c25a097f70d8fc3 |
| SHA512 | 431c805f5f7c000872518dc2e3dce4196cfb7880524e7baed21a7a8b895a98b397af37ef22044b654581945b195db053754a8b1a074da0cda25950352668581d |
C:\Users\Admin\AppData\Local\Temp\vbc22CC.tmp
| MD5 | dc50ae906c71dcdec15d63530401352f |
| SHA1 | cb260e3f9e0bc2f33d325d1a16178487b26b9f2b |
| SHA256 | e6c3266141f87ebbafe6800862b791972fa1f84a458e8e2846036686ed5dea2a |
| SHA512 | d094ed1e932b18a5f0e188a43e7815e8a9ed84ab06401d9efb15ffabeef5a1c1b0eb330618411791994353da3a45230c9cb6237526c113fb00d56a6d8752b4a6 |
memory/2408-22-0x0000000074090000-0x000000007463B000-memory.dmp
memory/2144-23-0x0000000074090000-0x000000007463B000-memory.dmp
memory/2144-24-0x0000000002030000-0x0000000002070000-memory.dmp
memory/2144-25-0x0000000074090000-0x000000007463B000-memory.dmp
memory/2144-27-0x0000000002030000-0x0000000002070000-memory.dmp
memory/2144-29-0x0000000002030000-0x0000000002070000-memory.dmp
memory/2144-28-0x0000000074090000-0x000000007463B000-memory.dmp
memory/2144-30-0x0000000002030000-0x0000000002070000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:12
Reported
2024-04-07 23:14
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe
"C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zr1cdr0h.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES372D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD82972DFEBE24FF6B44C1782B2A0A25C.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | tcp |
Files
memory/3572-0-0x0000000074EF0000-0x00000000754A1000-memory.dmp
memory/3572-1-0x0000000074EF0000-0x00000000754A1000-memory.dmp
memory/3572-2-0x0000000000AE0000-0x0000000000AF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zr1cdr0h.cmdline
| MD5 | fa517438f1e7b1bf4eecb51efa7aeaed |
| SHA1 | f0d985a1580a0f2c1e949c0467f8bea5cb5d5067 |
| SHA256 | 1081bb6246e1f4252eb82dc989311024e6d8d4a11af61ed82d91d71e4d0e8137 |
| SHA512 | 0a28d19fc377ca44164684f1b9398e3a78083b64ffd175864624b78ebec286f982fda181565a0199fae9ae351dbf62b591ae2422ebfdf47f93b147e544858012 |
memory/1212-8-0x0000000002610000-0x0000000002620000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zr1cdr0h.0.vb
| MD5 | 87e95cd471ec341640b222d6b07887c1 |
| SHA1 | f394065cfa6fae1e8b8374fbd31f763326f5abf3 |
| SHA256 | a08ee8d7eed1ff1f8b271c459ab7827aefbda960a28d3ea90554ee2fbf650115 |
| SHA512 | 9d5954561ff89edc3a5cb9777e182f3f98468668b6565f85d78f9244d52cf603213f9e78fb76df0ba5bfb0e269085951934dac236b6bb02fbdd5800ec3f7c7c2 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcD82972DFEBE24FF6B44C1782B2A0A25C.TMP
| MD5 | b1553496892911a4a27d2ba942515085 |
| SHA1 | bea09ae3f3e67188041574d75d2e23daeeba5499 |
| SHA256 | 28cd7862342a930af8325e878bac1a6b9c4317c41ee672695187a2f33bd40f87 |
| SHA512 | c287f50401ff863aa4e78d9cf0d2dd6da0ba6b1bc05777c7984239f3f9f1976d162d7569453a7d465de74aa2c823d6d69e22fda6d24d9f57febefa3b84baab20 |
C:\Users\Admin\AppData\Local\Temp\RES372D.tmp
| MD5 | 1594e14faa6b9a419ef51ef3bdc33440 |
| SHA1 | 4be649a8e1c8aa9a3f93f35c7b066f1e48c7e1ba |
| SHA256 | b1a59a4e3691f8dba505d9bdab5f03165f9940b9d4b62fe2d13496298c4eac1c |
| SHA512 | c7f91e8323ed9fb3f69cd3cc048fdcb223c425afd261b7ea43985172dc8bc3850b847420323ba86229cc0a75a933ac7d554d215dcaa07929873f416571d923a3 |
C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe
| MD5 | 7f06c2d19f253fa1728a33115459f989 |
| SHA1 | 3533a3e4c2e5594c52c57a7ab2e3e0227e546e40 |
| SHA256 | 5eda6d03065a63a873f0611f94c72ca9ee416d64cb3547355ca1a7536eb64eb6 |
| SHA512 | e102893ff1f275f9b964266015fa42596e9117b0b7488c1480840210d9795d8bee576da626a90828aa158687cc20163a9adba05d5916583abc234325b58bcff8 |
memory/3572-21-0x0000000074EF0000-0x00000000754A1000-memory.dmp
memory/3316-23-0x0000000001790000-0x00000000017A0000-memory.dmp
memory/3316-22-0x0000000074EF0000-0x00000000754A1000-memory.dmp
memory/3316-24-0x0000000074EF0000-0x00000000754A1000-memory.dmp
memory/3316-26-0x0000000001790000-0x00000000017A0000-memory.dmp
memory/3316-28-0x0000000001790000-0x00000000017A0000-memory.dmp
memory/3316-27-0x0000000074EF0000-0x00000000754A1000-memory.dmp
memory/3316-29-0x0000000001790000-0x00000000017A0000-memory.dmp