Analysis Overview
SHA256
3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9
Threat Level: Known bad
The file 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Deletes itself
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 20:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 20:30
Reported
2024-04-08 20:33
Platform
win7-20240215-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe
"C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mens4nmz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc13BF.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/1244-0-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/1244-1-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/1244-2-0x0000000000370000-0x00000000003B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mens4nmz.cmdline
| MD5 | cd516cf8682bc63b410b4d8f99d38910 |
| SHA1 | bdf29115bd52db620bd3a41a21d504b19d8f4144 |
| SHA256 | dde82dd2792c36724c0492db41dfec58ecf226ae742578722b9cd89016355e29 |
| SHA512 | a800dcbbe4d7e6bde41aae2c7c5898fab4ae1f430ae16dba6ef2410ee441fff30c470db569ac8efb6fc0fa720621f0a18c87ec2dd9518216527d0af0462c52ee |
C:\Users\Admin\AppData\Local\Temp\mens4nmz.0.vb
| MD5 | 5320148874d8604e01419af688b85e1b |
| SHA1 | 21a6839c882b3531845d786d49fea5f26d1d1ce4 |
| SHA256 | 5d6a69185540aaa5bbe7e790d579fed614ddca6f07f25d744f61928190c8afc4 |
| SHA512 | c6e355ba42c3b506dcbc764ff4c40953a1556bbbc0bdfeab11715cb11ecf1b76060ff0b531cba9bd976f4e27c7bd881755b2638d232a4a215e7f7aa8943fcbc0 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\RES13C0.tmp
| MD5 | 0feab416a36edfb5a9ddef16829fbca0 |
| SHA1 | 2409ca305df9d246b37cac9e05aad38effe36b0f |
| SHA256 | 5bb21a137cd24aeb4d7e1845af37c4acfb41e323875fa154775a4376a4269af0 |
| SHA512 | dc9c61f8b1429fed9611f3d7ee5cfb694dc43462d4d821441a8817c24a10cfceb757254f4dd5ce7bf0f456acdedd90d31306a5de4dca2619bbe637efbf0d3fc0 |
C:\Users\Admin\AppData\Local\Temp\vbc13BF.tmp
| MD5 | 336ca875c2113afb536c44505f702a10 |
| SHA1 | 51410a1e4f0bc8cfe047f259b9f56f13c32a6b04 |
| SHA256 | 222d30cb7846501d09f91459ac052abace1ae961a5f3e3e9f2bd6be1e93a60d9 |
| SHA512 | 04680925f907c031773c5f6097fbe1a9d43aa7b4035987a71f414dd7a084ce125f260c6dd078bc38ed62b5dde24a4d8e70014f1852f7be2b8d4087c35753048f |
C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe
| MD5 | 4881389c8ae06da40b8e86da635e655b |
| SHA1 | 0d08695406e16376689df5f8b62726c6cd4e464d |
| SHA256 | 5ab36cc1821dabc506faaef6ae40129db06e8bfcbb294ba0bf66c3e1d7ede11f |
| SHA512 | dc928274b0da073c6cd7f36d5592abc461a677698daeb04d2cd664b8e18bb7b8594a76061e790b3a3a2a0c052f9382ae10a46fe50d0394fd2279156a96be7967 |
memory/1244-22-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/2900-23-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/2900-24-0x0000000000A50000-0x0000000000A90000-memory.dmp
memory/2900-25-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/2900-27-0x0000000000A50000-0x0000000000A90000-memory.dmp
memory/2900-28-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/2900-29-0x0000000000A50000-0x0000000000A90000-memory.dmp
memory/2900-30-0x0000000000A50000-0x0000000000A90000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 20:30
Reported
2024-04-08 20:33
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe
"C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0nemvysu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91DB679839454547A21C5EAE99BE6.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/4404-0-0x0000000074D70000-0x0000000075321000-memory.dmp
memory/4404-1-0x0000000074D70000-0x0000000075321000-memory.dmp
memory/4404-2-0x0000000000DE0000-0x0000000000DF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0nemvysu.cmdline
| MD5 | 03599a7e611c72876f453ff6c819ee5e |
| SHA1 | 47b29ba60896d41b0d0b9755052cb4cbf81ac0c7 |
| SHA256 | 0162e504266c1579176631a8124c81423f48346612bdabd1518aec1989a5893e |
| SHA512 | e02800111e0cf893e120caa4b7b16e2657071c070624191cb36acea9053cd56a2c272ddf71ef210eb4e8c69955f9d3ce6ef9c0c65d981e0e3ffb86feed0c9817 |
C:\Users\Admin\AppData\Local\Temp\0nemvysu.0.vb
| MD5 | b8e147d26abe709def149c1c243c3c65 |
| SHA1 | 8f6ca911d4dc35db1f7478ca7609b55c6138934a |
| SHA256 | 56936fa9cce510e6ea74fd77aab4080f9894e5c00695fa9a150fd62f666f0fca |
| SHA512 | 5516fae2be098e5089e5bc7b04d86cc7e16e7b2f9e23a7f23d564bb25dfab23b2d4ec353d8392c803b42a27b7dd0241b14595f7470cf5eca10319d88cd368a6b |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc91DB679839454547A21C5EAE99BE6.TMP
| MD5 | 8b4f6e3c5ec87cd97cc24f022242f950 |
| SHA1 | 4c062b85cbd269fe482f1249ff09d8bdf39a2f39 |
| SHA256 | fab93703b93f687b598cca0e4c1cfa305d5d5ae12c60cc948e95936c66f575a7 |
| SHA512 | c0ece332135c75ffb0128a6d7f53effb3edc45802c0e8bcf0106d7f109bbfb1ed74c28c511023ab982cbf2e8225083e43245d9c66fa80170e9c86a560a52b0b3 |
C:\Users\Admin\AppData\Local\Temp\RES82CC.tmp
| MD5 | 9502b62767c8947ecf7656a856382172 |
| SHA1 | c41fc74bed12ef887560548b30a1dc2f087e2ccb |
| SHA256 | 6095a306964545354b3436b5884e2ad3130650a46ac6e45312493c056afca04e |
| SHA512 | d5c8592497ebc38c9b56f70bec72e79ec0c0827dd7ce59d7e7c0e054a30a114d23d551ce80bff4524f979dec19ab7434f977c91dd129742740544745dc7c23df |
C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe
| MD5 | 3de6945359a7f84064ce519cf60b95a3 |
| SHA1 | bd23a417e5a28c393319f0d11c1903b5cffd301f |
| SHA256 | ed28b9af0594e43c5270dfbf6ac1d1eef371d8e692d7882ccef5e060d9edeb54 |
| SHA512 | cb35dbad3482f94f1abbc6d88ab9a6665d1443f511c4b477bba79d394a776783f7366714c87019acc8368b0b7d60d44b7648f5592207c7c9aea182c56542f72d |
memory/2648-21-0x0000000074D70000-0x0000000075321000-memory.dmp
memory/4404-20-0x0000000074D70000-0x0000000075321000-memory.dmp
memory/2648-22-0x00000000013F0000-0x0000000001400000-memory.dmp
memory/2648-23-0x0000000074D70000-0x0000000075321000-memory.dmp
memory/2648-25-0x00000000013F0000-0x0000000001400000-memory.dmp
memory/2648-26-0x0000000074D70000-0x0000000075321000-memory.dmp
memory/2648-27-0x00000000013F0000-0x0000000001400000-memory.dmp
memory/2648-28-0x00000000013F0000-0x0000000001400000-memory.dmp