Analysis Overview
SHA256
fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db
Threat Level: Known bad
The file fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Deletes itself
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 03:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 03:12
Reported
2024-04-08 03:14
Platform
win7-20240221-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
MetamorpherRAT
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe
"C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2fo__eb7.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9454.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9453.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2636-26-0x0000000074190000-0x000000007473B000-memory.dmp
memory/2636-25-0x0000000002050000-0x0000000002090000-memory.dmp
memory/2636-24-0x0000000074190000-0x000000007473B000-memory.dmp
memory/856-23-0x0000000074190000-0x000000007473B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe
| MD5 | 1d9c77d40fdad280a06821cd6d89b336 |
| SHA1 | 984f0e5968f1da02ff124579b6c5a7b5ece8cbff |
| SHA256 | 3cf3bd0021c68396582feceba81cf4cffc35f25842121de871d304d064e66d0a |
| SHA512 | 990ef42296e7f56c5e5e1604b17aa2611ec7024dedee05624c5a7bcbbc97408ff8f76cd5310bf81885f92e4f5300cd7dc615cbeeeee7c5c115380caeb2978675 |
C:\Users\Admin\AppData\Local\Temp\RES9454.tmp
| MD5 | 8b18281ee869d9a2ee30388774a4c1cb |
| SHA1 | 431a923842c5033d623acae464bc82c7446c8827 |
| SHA256 | 1b1765cd97640b153d6e84da099590bf3fa0cfc935fe381c2f62227d17ad926a |
| SHA512 | 9d9c3ef9e8aaae5e25614b4518a524ed964d755b203343169824b3b223a21d73ad2e5c535ad17b8fb846edef1a3caa9cde0912a679fe933fa48dc8871cdb90ee |
C:\Users\Admin\AppData\Local\Temp\vbc9453.tmp
| MD5 | 4a4246ee5538f052ca962eb851d78622 |
| SHA1 | 148f26367ac2930535b0d8b9df51040a53b37a68 |
| SHA256 | f2ed1edf2352c0a88f887cf0e8be8ebc08842907d31c51577fc9fa39cb097643 |
| SHA512 | 7f37a6368884000041142c5d423cd7bd35cce969ff579dc8fd61f7331ecd2a8a191b4155b1952aed51736eda5a85452dff1e64a3bf94099b77d1bdbe24583efb |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\2fo__eb7.0.vb
| MD5 | 8bab61380e4ab59b1484a59c5a29e874 |
| SHA1 | dddaf29217a1ef6ac4f18dbbe98b0abf862a902c |
| SHA256 | 5a89bdf0c671bfec7a91e57512f9189064aee1498a1975a95e7e3d0456c10cbd |
| SHA512 | ff2216c0d23c26061742941c742e93cdeebacd0d15dacf1e29427fdf33412512eafc6b6a3c36bbac9550344c55a2994398a7dcfc09d0461252dda8155655641f |
memory/2508-8-0x0000000001F10000-0x0000000001F50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2fo__eb7.cmdline
| MD5 | 349e51c1505c6a4bd1dd4196b1988838 |
| SHA1 | 1381f2c42c9da7dee7c1588940f8b58aa6b69c52 |
| SHA256 | 5d07d31697e61f061d1aa58750ef1d5434cdce7b9b89ff064174a8a2bc27dc2f |
| SHA512 | 058dd6c2374d84255d2a789b765a48b2350ca2e0e3d85913cfac060ef2303e3d4ebf24a771240a95bd92868040d41de2d17e8d5c3124323027976d77913e632b |
memory/856-2-0x0000000000450000-0x0000000000490000-memory.dmp
memory/856-1-0x0000000074190000-0x000000007473B000-memory.dmp
memory/856-0-0x0000000074190000-0x000000007473B000-memory.dmp
memory/2636-28-0x0000000002050000-0x0000000002090000-memory.dmp
memory/2636-29-0x0000000074190000-0x000000007473B000-memory.dmp
memory/2636-30-0x0000000002050000-0x0000000002090000-memory.dmp
memory/2636-31-0x0000000002050000-0x0000000002090000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 03:12
Reported
2024-04-08 03:14
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe
"C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w3pe7kc4.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F540C4932254764A496F38B5B5198B7.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/3764-0-0x00000000755A0000-0x0000000075B51000-memory.dmp
memory/3764-1-0x0000000000F30000-0x0000000000F40000-memory.dmp
memory/3764-2-0x00000000755A0000-0x0000000075B51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\w3pe7kc4.cmdline
| MD5 | ecfab649c8416ca57297ecaa497ecdd3 |
| SHA1 | 748872a07e979b1f9c11db66c6cd653dd377d783 |
| SHA256 | 6188615cb58749d9d6634e79618920eece78d7591f555a7257860f7cc6a24a56 |
| SHA512 | c0487e9002721430a7e0de08324a2847a7a4f8e654ad612eaa0a3595a56730b8382ebe0a17d695052d92566b22814db8fa93c469808f1d6abef3d2390831ba1e |
memory/4676-8-0x0000000002420000-0x0000000002430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\w3pe7kc4.0.vb
| MD5 | cca9fb6a7814f07fdbf228d7f564e895 |
| SHA1 | f6858d91dc87c20413685ce8ef9db3ac84b871ec |
| SHA256 | e97e22435834aca159d8f263d4aa7612202bde89e156e5ea631e4970ce519b80 |
| SHA512 | d60da3d22f2f6735948beca31a9977793dc8d75103b1b9c895a365e38b9801beaf466bd4f50818737c70a93ca389c1c085bad3b4b71456bec667a7b418af7232 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc8F540C4932254764A496F38B5B5198B7.TMP
| MD5 | 8fcdd42e4fedc199a26cd5cb1374c894 |
| SHA1 | 16e2cc33c6f3938cde965d221deddc0eec021926 |
| SHA256 | 7bbb1e3c0f3b8226024e0c45c34678c1cedd306eee0801a18783657508470c69 |
| SHA512 | 817c57f2c9df84033aa714874a3fea789e7d8cd6fe0d4aa822bd04b636ae0959bc2851097e642d50705a877284d220412a4a5243cd758b16ca27d3bd11d6ba8b |
C:\Users\Admin\AppData\Local\Temp\RES3A59.tmp
| MD5 | 8af09354e776af0e3c53d16d9cc7926b |
| SHA1 | 29f8693d0a76f3bf9e5b72bb70152dd9830dbd4f |
| SHA256 | 2a82a86341171f3a4b40b06c21189e2aed8dbffbcef8bf74a827316735499571 |
| SHA512 | d6658ce0bb8363182a15f39300af1b5a290a4324b005af347c091fa3cb2fe604176fbd7e261befcce749e065c443070e39caeb66d19f3a35aa087344d22c5d1e |
C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe
| MD5 | 1fa2c8132ab2596c6814394efe72603f |
| SHA1 | a4f1dcfac6412e7f9134ff5ad32f84ec67a0a2ef |
| SHA256 | 3520650f2c2d7d8c923a8ecca2f0e1aede664aa2eb37f05b510ab08dd2c6b256 |
| SHA512 | 7be354052a23de0286dc72d66d3e833fa552f0669607046fc72ce30f64a2449a6e9e9c1bd63139c24625b8936f13f91ff82fb188733528ad4b329c1b58ddb122 |
memory/3764-21-0x00000000755A0000-0x0000000075B51000-memory.dmp
memory/628-22-0x00000000755A0000-0x0000000075B51000-memory.dmp
memory/628-23-0x00000000755A0000-0x0000000075B51000-memory.dmp
memory/628-25-0x0000000001AC0000-0x0000000001AD0000-memory.dmp
memory/628-26-0x00000000755A0000-0x0000000075B51000-memory.dmp
memory/628-27-0x0000000001AC0000-0x0000000001AD0000-memory.dmp
memory/628-28-0x0000000001AC0000-0x0000000001AD0000-memory.dmp