Analysis Overview
SHA256
87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170
Threat Level: Known bad
The file 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 23:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 23:32
Reported
2024-04-08 23:34
Platform
win7-20231129-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe
"C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\smp-owm7.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc889.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2748-1-0x0000000001E90000-0x0000000001ED0000-memory.dmp
memory/2748-0-0x0000000074720000-0x0000000074CCB000-memory.dmp
memory/2748-2-0x0000000074720000-0x0000000074CCB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smp-owm7.cmdline
| MD5 | 69e7cb35a2cfb4bbe5691028a44700a0 |
| SHA1 | ea242c2d1cd5b81fc95538aa481710b1d8e23785 |
| SHA256 | 7e54d23bb3dd80d6c3e838ed7904442dfef3ef7b8b3de70ed782c5185e690104 |
| SHA512 | 50c390fc5c25d48ea3fc0561cc60061342276c329550b7975379fac02591cce3688804054cde3fce4bf3e60989b20cb4fd3b6ec3bc2626546b05de13f3dc737c |
C:\Users\Admin\AppData\Local\Temp\smp-owm7.0.vb
| MD5 | c01f9a12a067f9e810fff6da1159cd7a |
| SHA1 | abec896c9b69a6253dc4c7ac8686a30bfc787fc6 |
| SHA256 | 26901d3d408e4ad1eb5fc6b62d1df4b62db4d7f033f73f450811578c8edd199a |
| SHA512 | 509b8928fedd3376d9960535c98ca7b8a55202b6408ea28a40bf94d2b4c4125b43a19753d2ae3c48efde56b2038cf7bc90324de91f65d7866c36257a01558c32 |
C:\Users\Admin\AppData\Local\Temp\vbc889.tmp
| MD5 | aa1532241685f324fcc7bbb98141f702 |
| SHA1 | 31f519675391565279d44ecb7e03f54beb26869c |
| SHA256 | 7c2d21d3efccb4e9510515aa5939d3ebf6735f51a12833387d2b3b8f728545ac |
| SHA512 | 7f960a3f4520390b304e8f00298efe2fc4e78bd607cd946e7038036c1ba88141203e81dc9516e240d678768552ae253084140b087c2433326d952a9be6b98750 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\RES88A.tmp
| MD5 | 0fc173cff110e340b2bc236a456cc410 |
| SHA1 | 9a05da13df61d79e6eb8d962eb60063a80ebee6f |
| SHA256 | 394bc77b34f56cf960c32a33e8024b74c0668dbed89664663179346d00d75962 |
| SHA512 | 263f31b4dc5c4a6b3511d3355d10ae5f2fbf20c61540329f2b2778ed1a4d0594f3c88ca409b72f70113d4e85e3a8b672f38bc27c2667a231d21e131be3d6dbca |
C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe
| MD5 | 40606f2ec6a461dc4acdf4721e352c4e |
| SHA1 | a743259c48602a3fe6646124b87ce80d8eb58cc9 |
| SHA256 | 209938774aaa18492b4179808660a9f18aedc4e4fddde3ed98df9812c4a86ef6 |
| SHA512 | f82752316542359febbdd7759f239bd791614347cdb5a78314838bd70551d100a8aa9a9267bf0ea9bef42a14d01dab5bbe63acfa847f69fa8068160b06a61022 |
memory/2748-22-0x0000000074720000-0x0000000074CCB000-memory.dmp
memory/2612-24-0x0000000000B10000-0x0000000000B50000-memory.dmp
memory/2612-23-0x0000000074720000-0x0000000074CCB000-memory.dmp
memory/2612-25-0x0000000074720000-0x0000000074CCB000-memory.dmp
memory/2612-27-0x0000000000B10000-0x0000000000B50000-memory.dmp
memory/2612-28-0x0000000074720000-0x0000000074CCB000-memory.dmp
memory/2612-29-0x0000000000B10000-0x0000000000B50000-memory.dmp
memory/2612-30-0x0000000000B10000-0x0000000000B50000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 23:32
Reported
2024-04-08 23:34
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe
"C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kp4hknof.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3930.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2B0129462DA4BD1B3DCA238031D365.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe" C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/1712-0-0x0000000075260000-0x0000000075811000-memory.dmp
memory/1712-1-0x0000000075260000-0x0000000075811000-memory.dmp
memory/1712-2-0x0000000001840000-0x0000000001850000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kp4hknof.cmdline
| MD5 | c2ed8c2bf7dbbc80c4e63621e374278c |
| SHA1 | 06554ea09a85160f8fc18fd01f668d690dc3975e |
| SHA256 | 060097ac22b7aa7cf6c4920b5d209fbf32ea2019414e64dd0024a7f54e7f12c1 |
| SHA512 | 44b5c14cb37bbc5484cb42f6a6893629f72b3bdfd8f5a7332840bf0f893ff06d375a27062dfc245593d059720fa0e7ce5df2005119a0ec0ebbca1b693564e9c2 |
C:\Users\Admin\AppData\Local\Temp\kp4hknof.0.vb
| MD5 | 14b4241bf77320cca978120abefce8f8 |
| SHA1 | 64afb3ab2c5e8706ea96b829e4332bc89c6e5142 |
| SHA256 | a2c771a429078a387f75113b8d55177b97d049e9b43f93fea1a22c9217cc8a16 |
| SHA512 | d8ffb9960e1272345151c189fb15371c2e2058c4f6ae746dd9882161d443cc3115d830266c78dca0b3478f1995e0a10deb552aede5969c13779855857e5fc651 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcB2B0129462DA4BD1B3DCA238031D365.TMP
| MD5 | 13be886886aeec806f9a797506b951ef |
| SHA1 | e4f250761d470d37a7d6eb4bd7eea64808023b34 |
| SHA256 | 9a754b8a5041976c30d64dd8a805e58f425ffb88dc5f88e1cba861de19a2aeb3 |
| SHA512 | dbfc6721a1644fbccf495d4c9ae7447bdd342d55de1650d99b6fe55500eb06edb3436b9a8166f2fcc30a2e17de76f616fcd3289440552064924c0ab7008d1982 |
C:\Users\Admin\AppData\Local\Temp\RES3930.tmp
| MD5 | c1e944a6d5128d5a31c3330abbc02dfb |
| SHA1 | 123be1d62cdc04c564da4cd626fafb46bd9ff19c |
| SHA256 | 75fa476fda23b7d10b8b765857fd5af3e838ced46d513ce5f9bd3a1264e993f8 |
| SHA512 | ed03cd74968da0d546a0518eaebb53225fce87d30b3dc6aa5a8667e96a8b679279129207e111f1424b30f5a9fcd20a7d4511d4bae8c1258525a5e11557230c75 |
C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe
| MD5 | 4b83d2ae2139702e8e60ae651c4a9437 |
| SHA1 | 64676bd279c7caca239bf949a6c75849a0ee2f44 |
| SHA256 | 293464130a4c0679ff33981fe58e895b6c95a565ba003f48940cdd43c1f897ca |
| SHA512 | c434019e512e13132509aba42c50d1b431562747d7b5e0618aea7ea291cd7e74fcbef76e79dd2f232af7eb446d393ddba0446327c58a9cf723b76f74ee73d23f |
memory/1712-20-0x0000000075260000-0x0000000075811000-memory.dmp
memory/3404-21-0x0000000075260000-0x0000000075811000-memory.dmp
memory/3404-22-0x0000000000DA0000-0x0000000000DB0000-memory.dmp
memory/3404-23-0x0000000075260000-0x0000000075811000-memory.dmp
memory/3404-25-0x0000000000DA0000-0x0000000000DB0000-memory.dmp
memory/3404-26-0x0000000075260000-0x0000000075811000-memory.dmp
memory/3404-27-0x0000000000DA0000-0x0000000000DB0000-memory.dmp
memory/3404-28-0x0000000000DA0000-0x0000000000DB0000-memory.dmp