Analysis Overview
SHA256
8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63
Threat Level: Known bad
The file 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 23:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 23:41
Reported
2024-04-08 23:44
Platform
win7-20240221-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe
"C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\snlrwylj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F69.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F68.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2504-0-0x00000000741B0000-0x000000007475B000-memory.dmp
memory/2504-1-0x00000000741B0000-0x000000007475B000-memory.dmp
memory/2504-2-0x00000000002A0000-0x00000000002E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\snlrwylj.cmdline
| MD5 | 76b15d77139bb926f5633bec87d72240 |
| SHA1 | 2156864d88a83d287fc77228a3f09026c1bf4253 |
| SHA256 | 4ead162907d3172ddab5341498b02192d07b1a18e974dd0f433f5e326afa045f |
| SHA512 | 2dbe37773b987bd0fe2983b8c91ab594725db36bf6a0881d49bc9593086da0b56af9d1c7b040030d1e3a5b53b605206968e3f9601c8cd935221dc88cb3aab725 |
memory/1768-8-0x00000000005C0000-0x0000000000600000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\snlrwylj.0.vb
| MD5 | b25ad46db3cb1eb0bfebde35b0e8ef4a |
| SHA1 | c22802af0094f454db2da6377c38f79751ef0eb8 |
| SHA256 | 7e907b91274410fefce45067ceced5da38089f3795dcbbaa9cc0e9939a1913f0 |
| SHA512 | 6ac1830b6fb9a39bf912d6064b2260b3f6c453975d4cba11ad9569d5305696666ae00444b89244f420c3990ed725f97f72b06212ffe21524068bd483a707918e |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\RES4F69.tmp
| MD5 | 70bd931f50eea5ce95bea28cdc51118d |
| SHA1 | 13cb81f4a20709643458882c72ec87aa1749ac8b |
| SHA256 | 5b0f86b40034687e9810db1e8994ab896ddb9f453eb87ffd6a5c0c349cb53929 |
| SHA512 | e3cb6e54e2ab36972dc3f00499df5cba10de8f270cb4ec4cb0edfc937a2f2e535c8e664f67e8f119b37897736d2086c6407731254f4d1bc15d6221f96b692889 |
C:\Users\Admin\AppData\Local\Temp\vbc4F68.tmp
| MD5 | 89f0789c01251e6b2c88551d61029199 |
| SHA1 | 7bf90deedb964189e52f286d97078b82dc405de5 |
| SHA256 | dcbd2cf526cd4d09d990694f39935441db622ca97c741838eeb110e157189c58 |
| SHA512 | 82173b2621ba03647f3ef173e9f7121ebfbe86cb00c7c4a0cec936f91a946b317c169ca2835a82f1231a255be433b93d5700c7a64931c16cc1e2e2af0ff736da |
C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe
| MD5 | f1756d1f52f3ec3d699a2f29e6795fc2 |
| SHA1 | 7358f0fdf06517d5aec6a36f5ed21fe0756d98ef |
| SHA256 | 9b5e567d9fa50fcf572d6cff7a6022b89496f05980f27534296fdec2484fe31d |
| SHA512 | 6c63285bdc9924b1d871dd614812e32500257d47b0b6d5242895e02abd638964de73ff69fe02f87b02e9c6578eb38e3b5feae099b657e75f5fed567284ca0850 |
memory/2504-23-0x00000000741B0000-0x000000007475B000-memory.dmp
memory/2628-24-0x00000000741B0000-0x000000007475B000-memory.dmp
memory/2628-25-0x0000000002040000-0x0000000002080000-memory.dmp
memory/2628-26-0x00000000741B0000-0x000000007475B000-memory.dmp
memory/2628-28-0x0000000002040000-0x0000000002080000-memory.dmp
memory/2628-30-0x0000000002040000-0x0000000002080000-memory.dmp
memory/2628-29-0x00000000741B0000-0x000000007475B000-memory.dmp
memory/2628-31-0x0000000002040000-0x0000000002080000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 23:41
Reported
2024-04-08 23:44
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
157s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe
"C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cyqy0our.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES561A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2DDD1E992346454CA33505975775733.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2732 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
Files
memory/4760-0-0x0000000074FC0000-0x0000000075571000-memory.dmp
memory/4760-1-0x0000000074FC0000-0x0000000075571000-memory.dmp
memory/4760-2-0x0000000000DD0000-0x0000000000DE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cyqy0our.cmdline
| MD5 | f8a0667906b45d2fbc5fd33fb519dd01 |
| SHA1 | e5d1602c62fba01637de9015e38f4ce55d047fde |
| SHA256 | 9284a13771d50275c304f907115c5a001193ecdbc2af0bd792c6350958ee4562 |
| SHA512 | d19db76d8bf746edd070a4344a2944bbcf552e5e98f21a2f442c63abc121a8c0a2b3788c2302ac74613b42ba4cb275032a72de2daf36c92b05553abf4edfe35a |
memory/4760-8-0x0000000074FC0000-0x0000000075571000-memory.dmp
memory/1368-9-0x00000000022B0000-0x00000000022C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cyqy0our.0.vb
| MD5 | e394a089d80d7505e9d3d9cb1d31f41a |
| SHA1 | 9cc39f2244a4220f45303b341b53a2f48436d3d8 |
| SHA256 | 785508e544ff271aa897b9bc59e49295a621382303c7137097ca2574b0e655ff |
| SHA512 | 4c3d4cf22d189ca854118dad6a8c1f898d81a53ded79a24679e4c8cf27e1abf03965c1245e29f9c7dcdf9a077f6e69173bbdda6c3d72c4355cb995cf834ef4aa |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc2DDD1E992346454CA33505975775733.TMP
| MD5 | 1c431e049b7a49bff3b6557d3042b9b7 |
| SHA1 | 6cb8a1fa6d78ddfc45d99a215745a7799f0251d0 |
| SHA256 | 3764524d8e0eb1698dc71f8fa03da456cad42f664fd665d77f5126361850d4d5 |
| SHA512 | 2ceb1eedcbaf1868c6320b9ca1ae5e2e6d90512c42fb09a888eae68c85bb2f4f71b0758f9417f6e38cc2b3e73db410af3007f9a33324e0d8afdc09957a7bd8c1 |
C:\Users\Admin\AppData\Local\Temp\RES561A.tmp
| MD5 | 23aba11312fc64602fae1b3d9449bce3 |
| SHA1 | 702f838be4fabe8dedf7f0a085c806a4409d89b3 |
| SHA256 | 1095943d15ed190532f3d1ecd2a3de4772327e6f50bc775e1c8b6bf84be6a491 |
| SHA512 | 1089f7eb187f71f1f89e4b46e5655178a31fe550c8f11fc7f212fabbd3afef701c46932a0d8c2ad8b62e149dc53ad8536c8a3e6147678af6a654ed6c5475fc37 |
C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe
| MD5 | baadfec4ac42a4b70900b8f795b4bced |
| SHA1 | 88da7a0fc8e9af20f1acb28df042415e3cb33c1c |
| SHA256 | 44127b1cee3e8eb74a8b8dcd870066208697848cd64ea7461c2a9ad25fa158f1 |
| SHA512 | f75d8fcd815010b55a585c7e658e6ef966f8b77bb6420c8de890a20a2e9fa8d3cf1445621ced00e637bf8dbc03a2ec52c035e57839e7fc2fe48a30af8906dc3a |
memory/4760-21-0x0000000074FC0000-0x0000000075571000-memory.dmp
memory/4760-22-0x0000000000DD0000-0x0000000000DE0000-memory.dmp
memory/3184-24-0x0000000074FC0000-0x0000000075571000-memory.dmp
memory/4760-25-0x0000000074FC0000-0x0000000075571000-memory.dmp
memory/3184-26-0x0000000001820000-0x0000000001830000-memory.dmp
memory/3184-27-0x0000000074FC0000-0x0000000075571000-memory.dmp
memory/3184-29-0x0000000001820000-0x0000000001830000-memory.dmp
memory/3184-30-0x0000000074FC0000-0x0000000075571000-memory.dmp
memory/3184-31-0x0000000001820000-0x0000000001830000-memory.dmp
memory/3184-32-0x0000000001820000-0x0000000001830000-memory.dmp