Analysis Overview
SHA256
22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd
Threat Level: Known bad
The file 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Deletes itself
Loads dropped DLL
Executes dropped EXE
Uses the VBS compiler for execution
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 19:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 19:21
Reported
2024-04-07 19:24
Platform
win7-20240221-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe
"C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t8v6dbhs.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD99.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD88.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2512-0-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/2512-1-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/2512-2-0x0000000001EE0000-0x0000000001F20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\t8v6dbhs.cmdline
| MD5 | e8640abadb0cb8455c4b7bf95c5e5b16 |
| SHA1 | d0d6e74af394eeb91b083e0f20d07bd265e07cdf |
| SHA256 | b74dfc71636439e793c2fd52dcee2a9f3df8edd5fac2156d6bc1dff45449d9e2 |
| SHA512 | 9b80b79ffc9e60dc29827f2285bc4492428050b1fea86137b667d28798029d6aebedd328194b4d0524760717938132adf04545d8bb6e55f2c453ca0cf07f5442 |
C:\Users\Admin\AppData\Local\Temp\t8v6dbhs.0.vb
| MD5 | b36128e431979e8a1424fdb926e0b8d9 |
| SHA1 | 002600b66643f0dd41e1dd3a0d9ba301838ced66 |
| SHA256 | c062b72d38097b3c9feaf248f3d5998406830b6cd284d8710f020614463abf4b |
| SHA512 | 3162a27e2f1ea8daaee0850d05226c524ad32c879d72c3fb84334c222fcc01c7adaa16dbc459d14aab9cc33ec53d369b6a6001b81e9cd0b40b56f119e97be585 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcD88.tmp
| MD5 | 5283ce8a47c4454a76e1b82de2659e4d |
| SHA1 | d56de127e55ea3562a132783b1c3566ce77dfb23 |
| SHA256 | fd1871e35e4d14c0eb4d4809b3d600538ca5e8041275f2ace98265d92f7ba4b9 |
| SHA512 | 143888465906427a868df196990b4646ccc4bbcd71fc1e6d349f865e967c96ba4b9e0b50c722530f2d9669e8f25b33fac0a657d658e3fd2c04498939526dcfe2 |
C:\Users\Admin\AppData\Local\Temp\RESD99.tmp
| MD5 | 8a82b5c613f4d536d8892c7b59cc2a4b |
| SHA1 | 04b9afd567731a192c4c1e7012fa37a39271cfe9 |
| SHA256 | 6326889209f179edc4ab7127b66d734b2dae6104d3a3f4ccb3ec3be575be575c |
| SHA512 | d75f11577a77baa41ce7b64331e439a390aa5d0deaac0ad4cf6dd8808db2fd6f3e1e4e659ef68a52f211791a27389a8cbecc0b380f2d6eeac866275342861513 |
C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe
| MD5 | 2f80f9bb07be63199692e00ba35c4eb5 |
| SHA1 | 9b6518b4948f9918ec36676835d57af5487a8aae |
| SHA256 | b7be93899a31badbd6c325ef24b4d261cd3a2128e8d6c48146e9192b69c0f36c |
| SHA512 | 5a8307dea52134e196b875fa56764e50e0bcc126eafff8cc36e85bcac64fe5aee7f22306f44735f6843ccb83b024dd318095b55feced35e92e17c7da844cc6f6 |
memory/2512-22-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/2636-23-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/2636-24-0x00000000002E0000-0x0000000000320000-memory.dmp
memory/2636-25-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/2636-27-0x00000000002E0000-0x0000000000320000-memory.dmp
memory/2636-28-0x0000000074700000-0x0000000074CAB000-memory.dmp
memory/2636-29-0x00000000002E0000-0x0000000000320000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 19:21
Reported
2024-04-07 19:24
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe
"C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oevv2rjk.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C97F8D52E904A318B5029819EB7D1A2.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe" C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/3576-0-0x00000000749F0000-0x0000000074FA1000-memory.dmp
memory/3576-1-0x0000000001310000-0x0000000001320000-memory.dmp
memory/3576-2-0x00000000749F0000-0x0000000074FA1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oevv2rjk.cmdline
| MD5 | ffe6436382eb096e43558860cd454345 |
| SHA1 | 7318ce46ce3eb6a29504c35ee746c80a824851b1 |
| SHA256 | 5a1e933bc728242d668878e6ecb62ed53754e8c40a5d81fc20f6cbb2ba056c72 |
| SHA512 | 92ff79b101303914a6932f00064e241994dbddbd78009a2b9ad25e568444fe4c1233cf710cac0f0b1f8431128104bec95551a74edfa6f9eee8ce0ae23d56d358 |
memory/1472-8-0x0000000002580000-0x0000000002590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oevv2rjk.0.vb
| MD5 | 189b276bd04907658d464c11d12aac86 |
| SHA1 | 600ff2300c4d5224516518ac45b46e09dd2d6486 |
| SHA256 | a26cd768c78c350ec16895e13c9e18861c293fb5f4beb96596e68b01453e4b77 |
| SHA512 | a0a0b769b04d9a83c086fb802de4519e1efad0755804a3805cd8456f0664bca9271cf456fa5a6f2c1dc5efbfbe9378e9b9db3852b0157a4ed822ef0d80d37e01 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc8C97F8D52E904A318B5029819EB7D1A2.TMP
| MD5 | 6a045b5f4029ca0a0973f325e2bbf88d |
| SHA1 | 827547ff4d6b2280d06d909309a0006f6e4752ff |
| SHA256 | 2d133f003eaac9da81fcd992e529a44f8684a423c2f24c799749940d51a22047 |
| SHA512 | d66722ccf9bac1c4d0fa8e2f13bd382c3db7b808fa4b200bc80c426357f9c4377999718bfd4ef7b4bf00fb4750d04add8d4008d1b73074cb9300431a6720c663 |
C:\Users\Admin\AppData\Local\Temp\RES7E86.tmp
| MD5 | d98eb291b58e2bc633418dd761634de1 |
| SHA1 | 0dbcc6bf863045069f3044d2f27dfca1a222face |
| SHA256 | 7755a8f04b852efcb76a8db8c9172a99f4ed8d378ff48f2d5abd6fffa56bf1d7 |
| SHA512 | e45574ed71b120c1ae1d758e00e5f2a6f4c992fa2e135d36ed156397f92e1c3e44e10891d821fa58e3883aace6b9bd13adc768ff700d3cccd97515885e60714c |
C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe
| MD5 | b371e62e0008d7160b190f70573cec52 |
| SHA1 | ac59332bca5f3516787a07d3ff4615a39aac7c14 |
| SHA256 | c88bbf72880c9766e3ce87f7eaf3418a89507e687ac5e5c9294553e5c23c56f3 |
| SHA512 | b41b68146557d2a70d1cf840262113a65e1abe00076bee2bf151a0723fcac752644e994f48b9e2d0d5fd6573ada55ca63d566d5139df0a5c186e174193db8872 |
memory/3576-21-0x00000000749F0000-0x0000000074FA1000-memory.dmp
memory/3920-22-0x00000000749F0000-0x0000000074FA1000-memory.dmp
memory/3920-23-0x0000000001650000-0x0000000001660000-memory.dmp
memory/3920-24-0x00000000749F0000-0x0000000074FA1000-memory.dmp
memory/3920-26-0x0000000001650000-0x0000000001660000-memory.dmp
memory/3920-27-0x00000000749F0000-0x0000000074FA1000-memory.dmp
memory/3920-28-0x0000000001650000-0x0000000001660000-memory.dmp
memory/3920-29-0x0000000001650000-0x0000000001660000-memory.dmp