Analysis Overview
SHA256
2d015441fc98484166fb95ae4f8814ec248344ff501f156e48a8516d9438eeb2
Threat Level: Known bad
The file 436b4f5121e1244b0eb49ee558b6a52e was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Deletes itself
Uses the VBS compiler for execution
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 22:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 22:22
Reported
2024-04-09 22:28
Platform
win7-20240221-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
MetamorpherRAT
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe
"C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\adfgr5qz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4616.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4615.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2152-0-0x00000000744F0000-0x0000000074A9B000-memory.dmp
memory/2152-1-0x00000000744F0000-0x0000000074A9B000-memory.dmp
memory/2152-2-0x0000000002020000-0x0000000002060000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\adfgr5qz.cmdline
| MD5 | 6c30c1a93a001a32cd95b0fb6b05950b |
| SHA1 | 5f6e9d49b4a637ec753fe0831efb3f86fd15d770 |
| SHA256 | 8cd0fac973c0482e5f6edb41258bbf28cc64156059810b9e73d63775cfe36b40 |
| SHA512 | 8b63c3b6bde9aa6b906f46843562e3f0374b271f773e97ffef9b5feaf705f0ddc82b0b12f577b031864c2f75326940f405a5dc733acee758a49c51d3b7399f82 |
memory/3068-8-0x0000000002210000-0x0000000002250000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\adfgr5qz.0.vb
| MD5 | 7dc1ad54f984d3955ab9add1e3c6f7dc |
| SHA1 | 342f260a6aa4de721d7fdcaba3038c2d67516301 |
| SHA256 | 02f4b8fce6aef091f72fbc930c2bd1d2687accccc72a7740e7b87751add2141b |
| SHA512 | 62bba48e2ee14827113fa1cc13ae05b64a16213435653691443ffe2df1ad0bff1377ae3f5f758e8b269a72f0b8ce6e372f2c1f4b9193472bd7a22163bc6a4493 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc4615.tmp
| MD5 | 00e98a83c1de8c6ae047f40eeb26a67b |
| SHA1 | 438210b3af150bb55b602030e39ee3974b47b9bf |
| SHA256 | ba6d524118faa52d90b5ecbcc9801c46c9c31cae56965fa161d09762661b55ae |
| SHA512 | 6311b601e7e7affc0ad89b8b114461e774a2052bfe9c23a41978303c791f0d4ce391c23939c130c5cc57f4e93a3273de634152a4a117b511e47604ed65d4a02e |
C:\Users\Admin\AppData\Local\Temp\RES4616.tmp
| MD5 | fc8e88820b8fb1294089fa0296875cbc |
| SHA1 | 4e02b59ebd83ef0dabdf1e6f0f4a5cdf1e197109 |
| SHA256 | ea5cd3f0676381948599a0fd86b4859f7a3660be170150f453841301e149193e |
| SHA512 | f9b9154f007405ca8246fe78c88c92e6dca7cd58399649c409a6b357b9962ae86e344f0e100a9191296db472e64acf378d9882fcf171d7b0c9c57cc7351a1e8f |
C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp.exe
| MD5 | aeacedbb712292af587fc539700b31d6 |
| SHA1 | dcd03d5df6fece65a70e45085bd5df4fc727837b |
| SHA256 | cd3bb7103c8a597b0ef4adf9b5d94dbc41683162c34c569d891980a7401e0cf4 |
| SHA512 | c2aa47b9a381303c8668c9d65cf8a445340204b0437030c58a76992db9d149779ad74159d1d2c4d78ae33d01ee31e234fdd37836b70581e6b1545414c31e31e1 |
memory/2152-23-0x00000000744F0000-0x0000000074A9B000-memory.dmp
memory/2688-24-0x00000000744F0000-0x0000000074A9B000-memory.dmp
memory/2688-25-0x00000000000F0000-0x0000000000130000-memory.dmp
memory/2688-26-0x00000000744F0000-0x0000000074A9B000-memory.dmp
memory/2688-28-0x00000000744F0000-0x0000000074A9B000-memory.dmp
memory/2688-29-0x00000000000F0000-0x0000000000130000-memory.dmp
memory/2688-30-0x00000000000F0000-0x0000000000130000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 22:22
Reported
2024-04-09 22:27
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3BA1.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp3BA1.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3BA1.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe
"C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rzqz5wsb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CBB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC97854981F402FAE1879967D3711B1.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp3BA1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3BA1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\436b4f5121e1244b0eb49ee558b6a52e.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2240-0-0x0000000075360000-0x0000000075911000-memory.dmp
memory/2240-1-0x0000000075360000-0x0000000075911000-memory.dmp
memory/2240-2-0x0000000000B50000-0x0000000000B60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rzqz5wsb.cmdline
| MD5 | bf6e2b4dbeb69a81a687cb79c8cef254 |
| SHA1 | 811a7425371eba32c4315d1065b1db39924771c0 |
| SHA256 | b72346992a37118fdca3ca5c1d5467275375eefdd3b05503a287bb74b289004f |
| SHA512 | 99f290c766343ba03f63a107e6fcf1ca067e11b0c5249c04b387fc1d4e06e432b848ee659dbd12bed369fcff7e69b780fef7c591aaacc2700bf66daaa2307893 |
memory/1988-8-0x0000000000BB0000-0x0000000000BC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rzqz5wsb.0.vb
| MD5 | 9c2f9ee4841a9d3e66c7e3a2d393e1cd |
| SHA1 | a1e9af19384fa168bb97d5412c0677a6ef9ab93d |
| SHA256 | 1798b74004dd803ff6f1e1b9727de4ad9892905ce682a77e02a3b95db65d91a5 |
| SHA512 | cbec0e0ec3eb19f62c5bec73bbe6a44b5214a5274b66e18e360af0985ac298c88ba783ae4389540f5c24cc7fa0b87028f250eadb7ed0bd4c53ce66ca4c3357ee |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcC97854981F402FAE1879967D3711B1.TMP
| MD5 | c2c286c23fb6ab20f4208d3714451023 |
| SHA1 | 67d0833ae189414e2d4c1295a3cd4c965d3e8953 |
| SHA256 | 4e44dce28415fcacd3397fe2c425e7b3e3362a35248c91650cfe6a8daa5e34cc |
| SHA512 | 40bcc27648b593e8885fad0418c57aa3fb313f773a0bb037405e068b878494d3e39217ad98ef2e81a0cd30f034442d513a3644eeab3bba4353a21ff2e1c2c191 |
C:\Users\Admin\AppData\Local\Temp\RES3CBB.tmp
| MD5 | b427b6d6f4486f2042b7ef6833c15ea2 |
| SHA1 | ead1e687da948b2c107bbb14db95f2ed6d1d6c7c |
| SHA256 | 8e57a4bbafeea23be0f5e6d00fa71e36706851929c5b0d6469d612ca398792e6 |
| SHA512 | 86dbd038d6a5003dba0e8173ed508f0d0cade4b8259286a017e7c6c63853b37959cf9293abc3af6c9fdb3930f6fe5efbe50f76a8e7796852f7b1162b97317efb |
C:\Users\Admin\AppData\Local\Temp\tmp3BA1.tmp.exe
| MD5 | c7d846f38e1adf29bc96255ccdbfde14 |
| SHA1 | fd1897836aa4ba3cd66ca6a99cdb3e4ba5f61967 |
| SHA256 | c0b636b5ffa8a43e3b7bb83a0541da5ec7a09acd50313cb077f453ef1c0a2960 |
| SHA512 | 5ebb26aa8896820cd885dfa40efdf6720391e9505dd612624614639ed32fb8e2ee6363f02b1faf4386458bd14c1a28d617c0cde8ac2262a952c677735b8218a4 |
memory/2240-21-0x0000000075360000-0x0000000075911000-memory.dmp
memory/4912-22-0x0000000075360000-0x0000000075911000-memory.dmp
memory/4912-23-0x00000000017F0000-0x0000000001800000-memory.dmp
memory/4912-24-0x0000000075360000-0x0000000075911000-memory.dmp
memory/4912-26-0x00000000017F0000-0x0000000001800000-memory.dmp
memory/4912-27-0x00000000017F0000-0x0000000001800000-memory.dmp
memory/4912-28-0x0000000075360000-0x0000000075911000-memory.dmp
memory/4912-29-0x00000000017F0000-0x0000000001800000-memory.dmp