Analysis Overview
SHA256
fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769
Threat Level: Known bad
The file fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 03:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 03:14
Reported
2024-04-08 03:17
Platform
win7-20240215-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe
"C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tyuihv_p.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB18.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/1940-0-0x0000000074B70000-0x000000007511B000-memory.dmp
memory/1940-1-0x0000000000C20000-0x0000000000C60000-memory.dmp
memory/1940-2-0x0000000074B70000-0x000000007511B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tyuihv_p.cmdline
| MD5 | 8ff46869f21bf6c1ebc69473e0c96ff3 |
| SHA1 | 60661446f918c0aaae207af687f4c8d2d84eb435 |
| SHA256 | d4fc687a2c915764beb89440acef5c446fa0738bf934d439eab6a8586a84e5d2 |
| SHA512 | d07790c382193e5675e3ace85c26ed0666266079af033edfde4c2bbd300446cdec61367756b54062c90af662c167d9e90fc2569c344dc2d92ac2ca55f0156e41 |
C:\Users\Admin\AppData\Local\Temp\tyuihv_p.0.vb
| MD5 | 248b4d232330d666dfaceac3247a5a7b |
| SHA1 | 175f1e58d1579662501c34bc0e1d4b100808e0a6 |
| SHA256 | db3bd0e0a9ddf9b61ff5a91e35239dfa6c8e58b85b9d20a7b34a0b05ea0e7ab7 |
| SHA512 | 56e9337fe91dcccc0e5fa223d9085504b0f2df166aa06d3e6202240bf72c6f5a5831fa03ecee4beba48b1185b8fc8bb7a2a9596266c37cef96b3759ae61f4e90 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcB18.tmp
| MD5 | 9481288a162efdcdc652eafb5386d82f |
| SHA1 | 4d39808b589ae7916263e8806111a76c2c27db9c |
| SHA256 | b727259aba1b573e974ec564a4360a0892c3a336be9dcdb7dc78206f0f60f54b |
| SHA512 | 2f6be049267886f1a2321447500392e8182e7b8de0f09b7b0c44ef0022f010857eed40c935e818258924c101b67ca075376287eddeee43ee9362524159a340ea |
C:\Users\Admin\AppData\Local\Temp\RESB19.tmp
| MD5 | d28241c13f5aa20a570794010e817478 |
| SHA1 | 438177627f8d6a68a607ecbab0edd1a2c35177df |
| SHA256 | 2437f5d812a4580924c62d5558e5712d21d8e512ead21f40d557a176a7226311 |
| SHA512 | 218915808338621ed495c7a1ad8a3b9c11beab4037840891dd3965c009200410d959fd8c04b0e9b8931f4fa0ca0ccb5bcba49217e573c23851029f270973addb |
C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe
| MD5 | 6975fbefbb40f2e023285a0cdb9438fd |
| SHA1 | ec31f9608283a6b455a237c17b99cb173eeefde4 |
| SHA256 | 9433d7e543bb577a2b432fe120d20c6444fd74ce5383a30075674a0b48d65d88 |
| SHA512 | 23c30678c3c8721a0f0505dc83ed41df387b0ce308c4bc3f631fe6259f159b28fd72bd45ca8c5b44b4d479879cefaad9684e74f4d2bb7b185be407ddf89dfb15 |
memory/1940-22-0x0000000074B70000-0x000000007511B000-memory.dmp
memory/2564-24-0x0000000001CE0000-0x0000000001D20000-memory.dmp
memory/2564-25-0x0000000074B70000-0x000000007511B000-memory.dmp
memory/2564-23-0x0000000074B70000-0x000000007511B000-memory.dmp
memory/2564-27-0x0000000001CE0000-0x0000000001D20000-memory.dmp
memory/2564-29-0x0000000001CE0000-0x0000000001D20000-memory.dmp
memory/2564-28-0x0000000074B70000-0x000000007511B000-memory.dmp
memory/2564-30-0x0000000001CE0000-0x0000000001D20000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 03:14
Reported
2024-04-08 03:17
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe
"C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cxik4jzp.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD69D71365A734D508DA3E5CE2D12915C.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/464-0-0x0000000074720000-0x0000000074CD1000-memory.dmp
memory/464-1-0x0000000000970000-0x0000000000980000-memory.dmp
memory/464-2-0x0000000074720000-0x0000000074CD1000-memory.dmp
memory/4068-8-0x0000000000A00000-0x0000000000A10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cxik4jzp.cmdline
| MD5 | 0aa963368e6ebc07851ee040868530b8 |
| SHA1 | 62c1d10115b739112e3551b5d9a0fa734c9cd3a1 |
| SHA256 | d4fa3667568875d954bc546e2670cbf56ce3719f01bebd8d9a1b68cb2e9f98a0 |
| SHA512 | b9fde02e3d11173f63ba01c9a0ca2ba5befefbcae39428ce81aab2db06cf4120f14644e856f5f61456147a7f87898eb9b578188589782c09c00df8ccc178b916 |
C:\Users\Admin\AppData\Local\Temp\cxik4jzp.0.vb
| MD5 | 65ba14eea4e71b093e3804a4c17ed5ff |
| SHA1 | c2707e937b0e928aece14b5ddbfe1120c6ccb5af |
| SHA256 | b92d5f444e41cab9aa1db5733a237c2fd1c6e1387494dbad3c32a3290e3d66c5 |
| SHA512 | f66dfac01e9029ca3a6cb56148722fb10bd6d61e510bdfdebdf4ca388f406e1982594c227fbf2b777a1bd6ed7de04b5798a84866595f65a0f98cdd2ca824dd64 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcD69D71365A734D508DA3E5CE2D12915C.TMP
| MD5 | c45257f0e9eea6a8651954a84d56cc6f |
| SHA1 | 5dcbb71468adb298731ee8cba5dc4a50d2f30fca |
| SHA256 | 9f0e977e0d59d4999a47e8a548da50a9fe4b9bd95db773b94cf18b7975ff959c |
| SHA512 | 5d08d007c294640edeb405da7a1ae58d30660201877d933f8e1078121fc6a52aab293bfc356b68aeb361ff697984cf0c9a4ece92f1824efbc025587e10df1a1e |
C:\Users\Admin\AppData\Local\Temp\RES41DB.tmp
| MD5 | 0a26835146ee13393907f34ad070e4ca |
| SHA1 | d3c1f13f82be4530e1e70d48e35188559a46632a |
| SHA256 | bd4db0db9b8f4fa5440ac67256219a976a7fa2ec352f0ae2adeb85a8f00ddc46 |
| SHA512 | c0ceff09e3e07c7511e1015fbe58524d036972d5484b2b2957e240d490ba0ee3733ec4dc6908bc13a347e58682901704fe41756bbcc4719cad3f04f8881152ec |
C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe
| MD5 | 386c508e2bae09dfe6099dea25bff727 |
| SHA1 | bdd54683528bdd16c083a92fa9f68df8791c05be |
| SHA256 | fb5c7b286eb03602cd56aa2093799df9e1d31c35e88f0b6004e1295c34c6cabb |
| SHA512 | cc6b939aa79d144092124257f418a70973c20a2549f0528f580170dc9ca5edfa9b5a15af22a10c00558e9bc9954aee9c46e6329e456b808f1649cf687a1dd6b8 |
memory/464-21-0x0000000074720000-0x0000000074CD1000-memory.dmp
memory/1200-22-0x0000000074720000-0x0000000074CD1000-memory.dmp
memory/1200-23-0x0000000000EF0000-0x0000000000F00000-memory.dmp
memory/1200-24-0x0000000074720000-0x0000000074CD1000-memory.dmp
memory/1200-26-0x0000000000EF0000-0x0000000000F00000-memory.dmp
memory/1200-27-0x0000000074720000-0x0000000074CD1000-memory.dmp
memory/1200-28-0x0000000000EF0000-0x0000000000F00000-memory.dmp
memory/1200-29-0x0000000000EF0000-0x0000000000F00000-memory.dmp