Analysis Overview
SHA256
86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310
Threat Level: Known bad
The file 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 23:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 23:29
Reported
2024-04-08 23:32
Platform
win7-20240215-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe
"C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wm30nljz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1759.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1758.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | tcp |
Files
memory/2416-0-0x0000000074CF0000-0x000000007529B000-memory.dmp
memory/2416-1-0x00000000005B0000-0x00000000005F0000-memory.dmp
memory/2416-3-0x0000000074CF0000-0x000000007529B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wm30nljz.cmdline
| MD5 | 99a622662b1cfe8c1002479375971d71 |
| SHA1 | d9a3ecc4e364fadc0d3d3aea57d5276458332082 |
| SHA256 | c738a6686846b8c627d66d8e32caea192b5fec7fa7899fd1cd850b3f43b07def |
| SHA512 | 417fd7e2f1fd7251d000e2844a44c557ca3c59331aba2d47ebe4edc2d77ca3c9e881aa631bcd15587700d9ac84b4c05a4e8a65c2ea9a2b340ac9efbed97da8e3 |
C:\Users\Admin\AppData\Local\Temp\wm30nljz.0.vb
| MD5 | e19ecf2aa032a20a207189e2ca5d4a8f |
| SHA1 | a55b2ffb1da69421594ef08d73d8628686f7f485 |
| SHA256 | 6b4d29f60ce521b3162f9200e8a496ea7c532a9362526e2c449364c804eb41e5 |
| SHA512 | 6318608daa8ecb776f00659ece9e23cc77f51d6698955f1afa6472fc82465d17cceadf3932aa45717b27752142d1e7de74ad83a5a00e0a65f46c3f049c9bda43 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\RES1759.tmp
| MD5 | 5d1545a2c62b5a5da368536ba7af2ec7 |
| SHA1 | 348feea04d4d4a2434ed57b69556fab6bd53ee0a |
| SHA256 | e3a377b2a26ede7f8105309a80b314d123f47731c7bfcb397538904ffe698e11 |
| SHA512 | 10bace610c613e0ba71d8531972a1e320a6c26798efbf96e0ecf7fbd53172cefcb685ff81c59e2cbc34ec25b7f32e6c7364048634043993bd4875fef0ce08ea4 |
C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe
| MD5 | 620bc88976324a4797749d0c514719ca |
| SHA1 | 7742437f4f46fe099d6c88d8357be327e965411a |
| SHA256 | 3679fd60c4cbcd98ec52fea56668295019091d922086554df57c7cd3eb5cdeb1 |
| SHA512 | e07dbaab2d164da1cee95980188ad1db61774df6080736e16cf6045c9482532ee8fdd86688d986e2d9286d0c0117b4759b815188c7bdbebb8fdfb133d9d0c5b1 |
C:\Users\Admin\AppData\Local\Temp\vbc1758.tmp
| MD5 | 5450dafdd83262b5aa7463021e209498 |
| SHA1 | d52fe4e1db8dd050356c6a2a7ce4dda39dd60b7c |
| SHA256 | 2846e8a62a4494c63a50fa475a0d92c0665b8a832f9c3f1ac0cd7bfa42a5aae8 |
| SHA512 | cff88ab69a113e2775bc084c0942c47807d1781a2da0cbd4ff08e9d8c29a4c2c71aef7a709daf88f209a8bb88858936216c30145e60c9672f179a4f3068831c0 |
memory/2416-23-0x0000000074CF0000-0x000000007529B000-memory.dmp
memory/2556-22-0x0000000074CF0000-0x000000007529B000-memory.dmp
memory/2556-24-0x00000000023C0000-0x0000000002400000-memory.dmp
memory/2556-25-0x0000000074CF0000-0x000000007529B000-memory.dmp
memory/2556-27-0x00000000023C0000-0x0000000002400000-memory.dmp
memory/2556-28-0x0000000074CF0000-0x000000007529B000-memory.dmp
memory/2556-29-0x00000000023C0000-0x0000000002400000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 23:29
Reported
2024-04-08 23:32
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe
"C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3fnb4f1j.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES417D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc707C5DB43C8D436793BBAA474F365DE5.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2928-0-0x0000000075040000-0x00000000755F1000-memory.dmp
memory/2928-1-0x00000000015F0000-0x0000000001600000-memory.dmp
memory/2928-2-0x0000000075040000-0x00000000755F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3fnb4f1j.cmdline
| MD5 | d701f6483e913122331c112b0ebcb3b1 |
| SHA1 | ea2df6958a0fbb2c9a29de0c98180495a86cb2b1 |
| SHA256 | 84a652b615a2fad19ec18357520f2fe246ccbad23e20b6356de7e9524c5a9173 |
| SHA512 | b0497201010b9f11e395049f552e92bd07acd61a40e8f13b895c91a8ac7a9d8dd835a50295e5e7e18645c9742ed8a014a9f364e76c38cf0830f55cae8d3e8593 |
C:\Users\Admin\AppData\Local\Temp\3fnb4f1j.0.vb
| MD5 | daf690c9d79c8f7ad46244d687ed7da5 |
| SHA1 | 8c2d7b026bea2cdd8cf363003dc89e14a559dc28 |
| SHA256 | ba5be369e1c903d87402cb22cae86f6c3fe0cfcd306bcd6935e3ff9a0bf0ede9 |
| SHA512 | c0532cf862b3b37ae23c6228df9f2b490a7b58c109e76896937809bdc560c3e34c2aeeef0ba708ceb0a0b4b44653032f3befa2cb6a5d7a8ee8ac415a3c39af3f |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc707C5DB43C8D436793BBAA474F365DE5.TMP
| MD5 | ff15d2f04bc5d6b3508bca68df2a20d4 |
| SHA1 | 9b8f7547e6af9af8f3ea40905e814fd5278d4f03 |
| SHA256 | 197c9e3be1e1250262e240b4f032b05121b32ac6881ce3e9b7828bb9c11f7bff |
| SHA512 | fd04cf3614fdf73d1c491a4781799301be21aed9772ffa411fd6103320e6b197bb9a9c24f6dd1cba921c3cf33e3fbc9db26716569140b6d79126cda288cd831e |
C:\Users\Admin\AppData\Local\Temp\RES417D.tmp
| MD5 | 51a2dcba163ba84415aa8274fc5442f6 |
| SHA1 | 478d99ed235f2f768246952e0165335b967a6836 |
| SHA256 | 4922e9d3f3ee4fd5550f3f44098c603d97cb7e5a85628655e664c256bed09c76 |
| SHA512 | d5cf636a34f5804ed70d12f3b285c82cd50ecc196814998e5871d231fc62e689da9d28f6eb94ed9ff6fd36efcbfd554dcd206f7c6fa151fe163ec25a87ea97f3 |
C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe
| MD5 | 053a44b4297ea526c2f5ddcfafd56507 |
| SHA1 | 216572a94bc18018f8a9c6e8a92798c090d5c7f4 |
| SHA256 | 85ee768f1b1cceedeb5bb403623866697166eefbecd41e7ad1cf138dec2e5c09 |
| SHA512 | f2909dcde84d4fc9baa6cb4ab53f97219bc60e84b4d2606a1a69ecd78f08f0a72f15760f3e77e1bf1e6c24ff6fe431f941980d8f609d34c800b96962bfc01fc5 |
memory/2928-20-0x0000000075040000-0x00000000755F1000-memory.dmp
memory/1596-21-0x0000000075040000-0x00000000755F1000-memory.dmp
memory/1596-22-0x0000000075040000-0x00000000755F1000-memory.dmp
memory/1596-24-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1596-25-0x0000000075040000-0x00000000755F1000-memory.dmp
memory/1596-26-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1596-27-0x00000000003B0000-0x00000000003C0000-memory.dmp