Analysis Overview
SHA256
33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18
Threat Level: Known bad
The file 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Deletes itself
Uses the VBS compiler for execution
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 20:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 20:08
Reported
2024-04-08 20:10
Platform
win7-20240221-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe
"C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vojdtnur.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3351.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3340.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe" C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | tcp |
Files
memory/2008-0-0x0000000074F30000-0x00000000754DB000-memory.dmp
memory/2008-1-0x0000000074F30000-0x00000000754DB000-memory.dmp
memory/2008-2-0x00000000020F0000-0x0000000002130000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vojdtnur.cmdline
| MD5 | 410b83482bbd54d29bbd30eba547e388 |
| SHA1 | d2ee6d0fd7e11a66d8a75646a09dbb91a2515210 |
| SHA256 | 3bb8cad2ad03318f100b1ec43c6d8df0f96e7c7aaee0e375691f0a04a3fdcf97 |
| SHA512 | 3fd792cde8828cbb1ae2c83558f684c35692d6760e8b71924b4cbe48d1da69dba0152301d30b39d3250889ff7705a7841af3fd412ac9fced8dbe508447bc61df |
C:\Users\Admin\AppData\Local\Temp\vojdtnur.0.vb
| MD5 | f0fae78ccf2fa6923a613bf020520ba2 |
| SHA1 | 1c27a04d86cae75a9239fc3a46579522143b6792 |
| SHA256 | 30f501fac01add54e69871e883b26937f52c00492f4f2e4b58ebab6436623881 |
| SHA512 | 09e4b0c35957f681b5d88a8fe9c0a2b307d34dad5968059fce466fee906d8d52e0f4841d27a355f76ff6b6957380cb25d49d744e274636b1a84ed267f774a88a |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc3340.tmp
| MD5 | 182daf1b1d61eb3f033438814172abaf |
| SHA1 | a660af96402bbc0450dfc913cf02c44dd1ce04d7 |
| SHA256 | d4bbec9c2631b2ff77d29a5dad35bb13e851d35a952181edbd65ce985ac9d606 |
| SHA512 | 1d68a9f9b4912922e6b32fbf5cb6b1a2b0ee7eacbc227d79e993d1a1d6486eae05f67cc58db6d84935d0c83b4669b8810b108b53f788d55fb001c103bcb9e5b0 |
C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe
| MD5 | 80899339ebf57364549979876d43afa5 |
| SHA1 | 98f0f82a6e108545844d909a70d6cf823aae8f8b |
| SHA256 | a81eab654c2ce292b7c0a1c82b62f3b627bccd8a6b212165d5e13371c98da1dc |
| SHA512 | acaf398a3785325c98d530de22102bf409f088809218f1d4f6712a2998f73dce9a255427c89f9bf7c47c56b0f33dd0580da66ae3318c023dee06cc1ef9866bce |
C:\Users\Admin\AppData\Local\Temp\RES3351.tmp
| MD5 | bc1e08e2155a42fc9b2ba081ae63f259 |
| SHA1 | d524912f7076513647bd0d1b04f5de51440675b4 |
| SHA256 | 87f713eab99b52824bea8e1592819eec8b208dabbe081d1a8b46b3ae12010092 |
| SHA512 | 4cb85e808960dc54fe03b5f2fffd515ae07b3648cdf4a6135151ab79ac2a46a9045f2c63a18512e4b53fc7c529d958852cf03910ba6752a55677f832f6f3e90c |
memory/3040-23-0x0000000074F30000-0x00000000754DB000-memory.dmp
memory/2008-22-0x0000000074F30000-0x00000000754DB000-memory.dmp
memory/3040-24-0x00000000009C0000-0x0000000000A00000-memory.dmp
memory/3040-25-0x0000000074F30000-0x00000000754DB000-memory.dmp
memory/3040-27-0x00000000009C0000-0x0000000000A00000-memory.dmp
memory/3040-28-0x0000000074F30000-0x00000000754DB000-memory.dmp
memory/3040-29-0x00000000009C0000-0x0000000000A00000-memory.dmp
memory/3040-30-0x00000000009C0000-0x0000000000A00000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 20:08
Reported
2024-04-08 20:10
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
158s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe
"C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\izt2q59o.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc78EA23C825DB4922B077C37195D9C3C1.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/4280-0-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/4280-1-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/4280-2-0x0000000000C00000-0x0000000000C10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\izt2q59o.cmdline
| MD5 | d34877a419dfda34f2d6e7b9aa9dd085 |
| SHA1 | 3ea3609973656754573fda89b7fd7c03e151b27c |
| SHA256 | 74ec0f820bf2fb2cc2f10e3c7bb180baae653b3a8e467cf8ea7bc4eb79573ee3 |
| SHA512 | 7aa9faa2aec21fc58a1c3f1a3f31a56b51ba6cb503aa2c457ea83ec11220e35966b11b7bd754da36172a7e77b17d733899b873354276a30c301e0b3162a61edc |
memory/1676-8-0x0000000002190000-0x00000000021A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\izt2q59o.0.vb
| MD5 | 9c40f54adda927da873394580b3d7888 |
| SHA1 | 77ebf0135c5ae90916dede1e2ea0a7a01863ee6a |
| SHA256 | e5fbe8dea4a815fb0c26f854fe36b824c0492a2b3edb0ad29c9984746439e238 |
| SHA512 | e504f389f3a61bba44148d0f6ff4e311b615dd42ffdfc834746564143151031552001f9ad6815800a060665e92592b2e9ecf037c85416a30da1396ce98b2ab1c |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc78EA23C825DB4922B077C37195D9C3C1.TMP
| MD5 | 43f6bf1548c27835ea8efa4d1bc9c832 |
| SHA1 | 8b2755572d870423d7bc59e2e459445e34d194d5 |
| SHA256 | d06cea9a7973fa02f009c3b5765974cec6ebfc2c366be913f2afd6bc5bb35a73 |
| SHA512 | 023159dd2237f1ea29123068d8384908a889e03ebd395a2549deffdfdfe46ec7885c2615fa29496c7ff74228977eba6cdb408c16f04da5a92fae101dd3976a0c |
C:\Users\Admin\AppData\Local\Temp\RES8B96.tmp
| MD5 | ca53ef55774cd2804149b8b8de80812e |
| SHA1 | 9b0512c7181e8b569b2cd98ba1c40c323fc25aa2 |
| SHA256 | 38574b6ae1c68686985184deb94b92d7115b58019680a8818f1e607e97905ce3 |
| SHA512 | 2e86ad93ab49389cd6fe876fcb5ef36f823f7de914a6dabe4c778312f2bd03afa2f956beda667ae35c01596107e8d59cf725c5bb4d516b52df1eb47c2604cf76 |
C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe
| MD5 | cf33f91776e01a627e172db9d65cea8d |
| SHA1 | 090dfd92c34642ece6182a8cfd2e88d250bbdaac |
| SHA256 | 41ea5b603ed43e8af125b3753d4d2b483b99a1c77e287690530b9bfe952e3cf8 |
| SHA512 | d5ea0829c96bc6ffb0a63b98bc6346147e27190adcd6ba0bfd67dac7691300fa266b226b060245c656f4d2a2c8bda1dca7e7f3060163410ba2af9c7b3640c635 |
memory/4280-21-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/1444-22-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/1444-23-0x0000000001340000-0x0000000001350000-memory.dmp
memory/1444-24-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/1444-26-0x0000000001340000-0x0000000001350000-memory.dmp
memory/1444-27-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/1444-28-0x0000000001340000-0x0000000001350000-memory.dmp
memory/1444-29-0x0000000001340000-0x0000000001350000-memory.dmp