Analysis Overview
SHA256
ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112
Threat Level: Known bad
The file ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
Checks computer location settings
Deletes itself
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 02:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 02:41
Reported
2024-04-08 02:43
Platform
win7-20240221-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe
"C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fuepdtov.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81CD.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | tcp |
Files
memory/2696-0-0x0000000074C60000-0x000000007520B000-memory.dmp
memory/2696-1-0x0000000074C60000-0x000000007520B000-memory.dmp
memory/2696-2-0x0000000000BE0000-0x0000000000C20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fuepdtov.cmdline
| MD5 | 32a2677dfdf86ecc840975601779e766 |
| SHA1 | c0ba7c4adbdadb98dd8c70b1fdba4c1f56ae469f |
| SHA256 | e1c26f9852826a185d43e94e5d0546d0fa430e9dc00f65bde7f828cc62fbf4a6 |
| SHA512 | 9e147e1d81b54c44892951f72a5d994ecb4bbf0ce4a559574cab6a90459a5bf8581f3e0dcc7c3041fa4f6d6fc449593a6e5089eb0c6949798b7992a783eb386c |
C:\Users\Admin\AppData\Local\Temp\fuepdtov.0.vb
| MD5 | 79b5b6d672154e1450b4db60a4672184 |
| SHA1 | f8aa8c4e8bf66a606209e3f3e5ab49d8b71006c8 |
| SHA256 | 0304b8ebaa092a4c3b27d3d2be722a0303a3c9cd47caad5610d8e68263c7e366 |
| SHA512 | ae584778cd07980f138ced540aefee88ddd34da51f4a82960e670f18a824b143a1500cca10770ff4b6a2f26a9a404023e80fe6b0dcd15e255794b99e08af443f |
C:\Users\Admin\AppData\Local\Temp\RES81DE.tmp
| MD5 | 717d0a30ccdbba5d3df8a1df2e21914d |
| SHA1 | cbb3760c47177e9750305aae9404f59401cc566d |
| SHA256 | bf9fa2d008293b203ac1aba8245ffbf07e8814dab22ade351750e4bc044c9a52 |
| SHA512 | a42792f01ad282a29eb0d83630cba37d6e40f26a76ff3ed180af3ff62b0e66c4664f7e914a3441e3daef6d422dfb6b92f0a9e5bf306853c6cf924c0f9d080f41 |
C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe
| MD5 | b6d31ff51431e4bfcc4177ce86b604d2 |
| SHA1 | 35808580a822fbfeda24aea22b96ac9c70e65076 |
| SHA256 | 1d1450fb6db1486162aaa4ff90c54f494faefa6004a43eb0493253b39db8435c |
| SHA512 | cdbade17d3d825100bf2df816c500c12a38ea1cb02d6afe698a1c3eee4baa68d74774fa02b76199239b53acd2057a7516b365357ecd7866c87f84abb63b261be |
C:\Users\Admin\AppData\Local\Temp\vbc81CD.tmp
| MD5 | 52f1bb85fb9a39b519bb8ec2ffd67f3a |
| SHA1 | 32fbe5535619376a2829ad068bbdee1202578130 |
| SHA256 | dc7c5f2aa79f38d2729ed58a52cbe71a0ad6948cc0232a495f59484607ff9423 |
| SHA512 | 54fd7c4f170e08812204d15a85778b25784ca24d064fcea0685b99fe46c76bffd42a07c65b6f68631d0595af36c1231c1105832482715bcff8340a34944a87e9 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
memory/2648-22-0x0000000074C60000-0x000000007520B000-memory.dmp
memory/2696-24-0x0000000074C60000-0x000000007520B000-memory.dmp
memory/2648-23-0x00000000005D0000-0x0000000000610000-memory.dmp
memory/2648-26-0x00000000005D0000-0x0000000000610000-memory.dmp
memory/2648-28-0x00000000005D0000-0x0000000000610000-memory.dmp
memory/2648-27-0x0000000074C60000-0x000000007520B000-memory.dmp
memory/2648-29-0x00000000005D0000-0x0000000000610000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 02:41
Reported
2024-04-08 02:43
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe
"C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wa1znmbw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcADF8DC2A6F2A49C7A5B59E64137EC06C.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/3300-0-0x0000000074D90000-0x0000000075341000-memory.dmp
memory/3300-1-0x0000000001500000-0x0000000001510000-memory.dmp
memory/3300-2-0x0000000074D90000-0x0000000075341000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wa1znmbw.cmdline
| MD5 | e6bdafb5f360c40bb39ac1f7f13b9124 |
| SHA1 | 6cd21ca3095638ac5381ed8fe92fe02a65bb5a4a |
| SHA256 | aeacb0d255655f6b39f581f9f6d0847bcea313090c12fedde2ccad553f1f1dcc |
| SHA512 | c61516aee149ebc85372f970c5a28a05542df0a5ea69fe36b0d5600217e94e1ca632c0121a9e64ad2dff3ad6742b2b7763c768afd7f20b68f14d0211457e2e56 |
C:\Users\Admin\AppData\Local\Temp\wa1znmbw.0.vb
| MD5 | 5e342cc6a2729e2ccb429bf04b5f4d3c |
| SHA1 | 3bd17cb51dc49fa9f49a3400f99e9766ef7d67b0 |
| SHA256 | c76145c34253f20dde0a857b77dc3b44069b128d1ef388cb3c38e2c3119e21d8 |
| SHA512 | f049598a2e2f20ef5417f48b0ce6377c5cc2d54eafeed42f25affeb3400ccf80d8f1b53ec433ea313519b175745f307ce5e5e1499e1408e64b410f61d26bc1e1 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\RES4F39.tmp
| MD5 | 5797188c9b75a9156bc8ded36c2163e7 |
| SHA1 | d2f06579257704ccfa11e2ee17a3f27bb111fc83 |
| SHA256 | 503c0c0421c3ab5714761e47815445816c31b50eaf67a206faca7e8170e33981 |
| SHA512 | b60dd9481acd6f658b14a5310a84265e30895b6021b1e8a59fa4f41d3a2ebd6f02f0b268f68f169c31f2bfd53e7019123434267bf1f55c8d027a7d16df5da77f |
C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe
| MD5 | aa41afc84b2712d9c4e4a57a816a19b4 |
| SHA1 | 4ef580be52d97072248f8f038cc090350cb7c40b |
| SHA256 | fc494c1e00e049dd780b309109e5e8c243d81bc9e6bd55bd3e08bcdcf6b2c635 |
| SHA512 | dc1506cc64c02fba50d76f85227b7a785b71a9786a20142a7a6004990439fc4034879301363bea795a37ddc897c3fa6b43e61df97df501e73c71d7e22f913a80 |
C:\Users\Admin\AppData\Local\Temp\vbcADF8DC2A6F2A49C7A5B59E64137EC06C.TMP
| MD5 | 92ebc7f2cee7986f4b2df2295c82f733 |
| SHA1 | 05dd064f45d8e27566d1394196b5637a78c243ad |
| SHA256 | 8427d850f97b8e7451757060dc22118a8fd3b9b2d44ca5d9e63fc066ad014db4 |
| SHA512 | 807194f57539fa38862383e4c06424c03c1b925848ab16850f8452435d08ac0011e296275d8227335b47ab701b711f378904350bee55619c2f7d29eb0f7aca37 |
memory/3300-20-0x0000000074D90000-0x0000000075341000-memory.dmp
memory/2056-21-0x0000000074D90000-0x0000000075341000-memory.dmp
memory/2056-22-0x0000000001680000-0x0000000001690000-memory.dmp
memory/2056-23-0x0000000074D90000-0x0000000075341000-memory.dmp
memory/2056-25-0x0000000001680000-0x0000000001690000-memory.dmp
memory/2056-26-0x0000000074D90000-0x0000000075341000-memory.dmp
memory/2056-27-0x0000000001680000-0x0000000001690000-memory.dmp
memory/2056-28-0x0000000001680000-0x0000000001690000-memory.dmp