Analysis Overview
SHA256
8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87
Threat Level: Known bad
The file 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Uses the VBS compiler for execution
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 23:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 23:44
Reported
2024-04-08 23:47
Platform
win7-20231129-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe
"C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4nsaax81.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES192D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc192C.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/1752-0-0x00000000741A0000-0x000000007474B000-memory.dmp
memory/1752-1-0x00000000741A0000-0x000000007474B000-memory.dmp
memory/1752-2-0x00000000002C0000-0x0000000000300000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4nsaax81.cmdline
| MD5 | f68dc88b62dc41b5fa7e24529a7fc61b |
| SHA1 | d9a8e233f02631d25d75d46eb5993db16ee4f17b |
| SHA256 | 1545062924d257a960010a3f07ece352d93821e28b8e163c9b6b57715739d2ea |
| SHA512 | 0af40eb72b7210f69842a9fbbebcb03a4059a599a40d61fa42bb52b3e9b420952b47972a789b0b31ae77fedd6d8eae0e0278c160524bf6741682085ae326efb2 |
C:\Users\Admin\AppData\Local\Temp\4nsaax81.0.vb
| MD5 | 9ebf7d57bc356057f5fdc4c5f01b12d0 |
| SHA1 | feba17873ff8b61fd6919db84e89363269a531b6 |
| SHA256 | 30fb8243a8456bc3ab6858b35985051110228ccbc13af8b9431ff1d619c4d6bb |
| SHA512 | 8fedaae522c9b0e8447cd99c02a8bd073f03bd19194fdac57a8589de38cdfda150ff0a4b7f903299b7dc3a719e6d53c5868fd85599ae300371d5b5839a7d86be |
C:\Users\Admin\AppData\Local\Temp\RES192D.tmp
| MD5 | 64ab1e8030d055c86229a24fa70103bb |
| SHA1 | c85184a631cf660c792a7a050cf60de4853b0fac |
| SHA256 | 954df54413dc62f571dbd7c37f94f2183cf7fcacf0f7cf86875701b5b3a118e2 |
| SHA512 | 108abcb0eb989feca6b26e553916c5697bec3dce346187e1f14442e914efa3ceb450ea8c9950fec73dc12e5e5f4a2562879bfa5ad7044c7786907c636a779d41 |
C:\Users\Admin\AppData\Local\Temp\vbc192C.tmp
| MD5 | 973a5a9c42dfe1a11b3bd6bd40a4e183 |
| SHA1 | 9658624d9c23ae64046c60783dd765a52e17d761 |
| SHA256 | d00f37795e0479d67ae2db5fa5b58406aea579ff9ba23ae9560ca4ad2de86515 |
| SHA512 | e41a36616f6099a1edf10a8712bf20b41fbbe4139bc7ebc5c1ee0aec28ca37bd83d3b62f40a2a833323fd2702d2e2c88982987b33ad1d240261dd459d0e74928 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe
| MD5 | b1e271fca54e0ab14687aa0ce04ad276 |
| SHA1 | 94c19de64d24498715beefe070d1a6ec26179a74 |
| SHA256 | a4720aaeec0f4ce30b70157e54d4f5f119feecb22c66795c8e4a476c357ac242 |
| SHA512 | 3b8aeb7a1752d22472da0c219553db50e8d262136482196a07090d5b84c9a579389e7f126d3fa594f6d49bc5d23493f44b48290f31038b1a495d48eb83d896b6 |
memory/1752-22-0x00000000741A0000-0x000000007474B000-memory.dmp
memory/2788-23-0x00000000741A0000-0x000000007474B000-memory.dmp
memory/2788-24-0x0000000000120000-0x0000000000160000-memory.dmp
memory/2788-25-0x00000000741A0000-0x000000007474B000-memory.dmp
memory/2788-27-0x0000000000120000-0x0000000000160000-memory.dmp
memory/2788-29-0x0000000000120000-0x0000000000160000-memory.dmp
memory/2788-28-0x00000000741A0000-0x000000007474B000-memory.dmp
memory/2788-30-0x0000000000120000-0x0000000000160000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 23:44
Reported
2024-04-08 23:47
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe
"C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ddglcxwe.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F84368D210E4E029B5D84B929A52DF3.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| NL | 52.142.223.178:80 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | tcp |
Files
memory/804-0-0x00000000746E0000-0x0000000074C91000-memory.dmp
memory/804-1-0x00000000746E0000-0x0000000074C91000-memory.dmp
memory/804-2-0x0000000000B10000-0x0000000000B20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ddglcxwe.cmdline
| MD5 | 93f2eedf98b511ba9ed00a284c371a72 |
| SHA1 | 64ff826407fde0e5f3f5adea6929754b927e6165 |
| SHA256 | 9a1fb164316694b505063905c15009c63ba46ef21d7d6c27cd9c82510cc145e3 |
| SHA512 | af05cdce73aac71c031d75af32a36bb66517c0a0b07b8d1f905b02bae2961947caff06642b2bb461f9163d9771621fa13ca09688ec2af0d0d6fa50b0bc7a9836 |
C:\Users\Admin\AppData\Local\Temp\ddglcxwe.0.vb
| MD5 | b6bce926908a01ece9b6de39285be9b9 |
| SHA1 | 0a86934ed6e6ae324dc1107b6dfac0ad18586f97 |
| SHA256 | 3368c8b0790c6d346a140c9c43dcd7d704edf413b01860637eb7b8b0dfb3fddc |
| SHA512 | d9ba3c3aac1d1632cdcb8b7e7a0e30ffa25c1ec16e0e4b40060579115c44986cbcb552c6c4ae409445ddc463eafc8f188abaee586fb6ba1b88281793f2bd638a |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc6F84368D210E4E029B5D84B929A52DF3.TMP
| MD5 | 41a871d670dcf8c8853b894e48a9f48c |
| SHA1 | f0a780473d149682d295f6e4164af9321de3ec1a |
| SHA256 | d6421b6846daf19ae8c7abc8b3ce1b747217bc7b7081d744eee9ba499d6c9a23 |
| SHA512 | 639dc81fcac3ba4378aaeeb147b808c4725e741b6002c83ed09a1b546552c8d2a8ec018948d24c25e5217a4bb8b5939f8a3c951bf37dc711b30aa1356ba3008d |
C:\Users\Admin\AppData\Local\Temp\RES35C5.tmp
| MD5 | 4e4c45855113bfa9cf727f19180525f9 |
| SHA1 | be0632b96e3267da2a5cd6b0b48f117b4ac4687b |
| SHA256 | 52f18438132d0966aecc70f897ca9e78a10da47de2c12c19029f6e1fc6aa0339 |
| SHA512 | b6890346523c8cd9555d95a53f77dfd450acab1ca3a144335899ec5a2bfc4b4c01493f041ade2e547ad41e11705eb87e1c491bff351d3d33c31dd7fc2786632b |
C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe
| MD5 | aac5b67d3ffcdd026b31d44ed2db52c0 |
| SHA1 | 20044222554068c3846a0d2a84084f73fb812506 |
| SHA256 | 3ba73a85c5df4b31cef0a72cd06a563dcfe20dd422cd0543427f2cc15cb0b068 |
| SHA512 | d68ebcdae22f68b9e4e5cd7cd91002367f09d23278aba11c851e9aff42e050d9007b8752e90575959516d3eb0f9e337c79d9dc44e5e90652c550eb037a436497 |
memory/4600-21-0x00000000746E0000-0x0000000074C91000-memory.dmp
memory/804-20-0x00000000746E0000-0x0000000074C91000-memory.dmp
memory/4600-22-0x0000000000C80000-0x0000000000C90000-memory.dmp
memory/4600-23-0x00000000746E0000-0x0000000074C91000-memory.dmp
memory/4600-25-0x0000000000C80000-0x0000000000C90000-memory.dmp
memory/4600-26-0x00000000746E0000-0x0000000074C91000-memory.dmp
memory/4600-27-0x0000000000C80000-0x0000000000C90000-memory.dmp
memory/4600-28-0x0000000000C80000-0x0000000000C90000-memory.dmp