Analysis Overview
SHA256
f056d4c1f5d092f69f43e0de63be99d70ffa7e4edf55cc20df05a76ef5f7ac9b
Threat Level: Known bad
The file 533e73f658e25e20e180b9045ce845b2 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Deletes itself
Uses the VBS compiler for execution
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 22:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 22:37
Reported
2024-04-09 22:42
Platform
win7-20240221-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
MetamorpherRAT
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe
"C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pej9ivt2.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16FA.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2240-0-0x0000000074C40000-0x00000000751EB000-memory.dmp
memory/2240-1-0x0000000074C40000-0x00000000751EB000-memory.dmp
memory/2240-2-0x00000000005D0000-0x0000000000610000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pej9ivt2.cmdline
| MD5 | 23b4dc84bae92c9b5d4010255dfa7fce |
| SHA1 | 23c1e825c99257407ff981463a1d3cac869cf1fa |
| SHA256 | cffc988b884fe020ea530a15bc034ee3f36857cdbaa387cd707852961c6b6fcd |
| SHA512 | 048bda1a059320008c7ad4c9765cfd224ee163aa4f516f783bf7d77d3471c7c3a04535f18285ed734d796e23d391ca4f0637d79481a5d70f9724c6abc84925d6 |
C:\Users\Admin\AppData\Local\Temp\pej9ivt2.0.vb
| MD5 | 24a2b2d619451b5a630d04eb94917b89 |
| SHA1 | fb1f24e9db6114aa016cb9fb554b04290e9629ee |
| SHA256 | 941f2a9c695d53b61d41d01d0568ff4252bce76a9ada809913b6799b839f3ef0 |
| SHA512 | 989dd22646d0e2c9eb2efe933b15635101fec5ad463a98c6777a993d7b1189e26b0130f65b9119acd17ece674e02e06d82ca2810bc5dae0744df314c34be6acf |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc16FA.tmp
| MD5 | b1ba0620b9b7c160d729a9e9ce3a41fa |
| SHA1 | f4dd034075de92027661e86f44286d76b82994f6 |
| SHA256 | 3276aeeb68af6503a2bec56d9b557c57f57a8bccc4274eff5f0720d7fc54746a |
| SHA512 | 891a62d4fc0a39427f057507ec61a6fb17e5113050cfb65b09f9597a6bb16dcaa317600e6abf10be2e9cbab82997c1fc22212a309c31732bcf68fdac94583515 |
C:\Users\Admin\AppData\Local\Temp\RES16FB.tmp
| MD5 | 028cbfc08828ac47fc4d2a451fbf6cda |
| SHA1 | 9484738a2d96142004da5b637395ba0f225c450a |
| SHA256 | c6db588c19bc38c644e0ccfc0aeab04176ba2855263979a4f0b7974cef5240ed |
| SHA512 | fd80fece4b19bfcf96538ffd4f4190a6d1ba1bf394b199bc529f96854e25d11056e498606d3df816cf2542dd188e8a1a99d75113ef5e333fe6f79f36d1b0f0e5 |
C:\Users\Admin\AppData\Local\Temp\tmp164E.tmp.exe
| MD5 | d00d7a305464158140d4962bfc454e8c |
| SHA1 | f27a7d70ab6dee03aa621fee7b9d6e001da68c9f |
| SHA256 | 5c0e28c33431f3779c33d88cdfe235a6df0da884833dbb99f6dc2e368e4f6ab3 |
| SHA512 | a5626432ab2c4ec363038c559d0f3e76f89999e15dc515e6afa87462913556e77bb07927d9e5e1dacc7d98da3af03437e35f23cc42fa8e912d51b8195ad08dda |
memory/2240-22-0x0000000074C40000-0x00000000751EB000-memory.dmp
memory/2568-24-0x0000000000A40000-0x0000000000A80000-memory.dmp
memory/2568-23-0x0000000074C40000-0x00000000751EB000-memory.dmp
memory/2568-25-0x0000000074C40000-0x00000000751EB000-memory.dmp
memory/2568-27-0x0000000000A40000-0x0000000000A80000-memory.dmp
memory/2568-28-0x0000000074C40000-0x00000000751EB000-memory.dmp
memory/2568-29-0x0000000000A40000-0x0000000000A80000-memory.dmp
memory/2568-30-0x0000000000A40000-0x0000000000A80000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 22:37
Reported
2024-04-09 22:43
Platform
win10v2004-20240226-en
Max time kernel
166s
Max time network
172s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe
"C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kb7dofuw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE162A4E3991641CEA62ED6FC4E7724.TMP"
C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.exe" C:\Users\Admin\AppData\Local\Temp\533e73f658e25e20e180b9045ce845b2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | tcp |
Files
memory/2776-0-0x00000000754C0000-0x0000000075A71000-memory.dmp
memory/2776-1-0x00000000754C0000-0x0000000075A71000-memory.dmp
memory/2776-2-0x0000000001050000-0x0000000001060000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kb7dofuw.cmdline
| MD5 | cae731d0dd975fd187ff4623e5605411 |
| SHA1 | 36cee2ed14095ddbef490a6e50bddfb6495aaa0e |
| SHA256 | 682f6e336ce9260eada226d984f9a12eb7fff60e2f8d5a95541ea5e0293efc73 |
| SHA512 | 83c9c36c4509a7b2da076fdba010b2043d9d2f162b3742d3a0e47ea1a27962864559f34f744f7c7cf63c8a127ae03f4fd20947f8ea6c14b72ad01fe451c17769 |
memory/3232-8-0x0000000000B20000-0x0000000000B30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kb7dofuw.0.vb
| MD5 | af4b12c61c4adcc5a2dba03ebd69fedb |
| SHA1 | 55fe56a35f4479103de429df9e6631a953f04967 |
| SHA256 | d903ffd4c904c46517a7a24551897bdf8c0c41ac377cf6c584ffd073de3f25e8 |
| SHA512 | bb8710bed306c8f51cbf2c4fca41eb03e18b8e15b3599fe5ba99a8e064c2ce6a1220b980b13317810f2915d0e44355ba83eb4630614283087196724df46c7543 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcE162A4E3991641CEA62ED6FC4E7724.TMP
| MD5 | c64da5017f63f23f8c2b7c8ead32b6ff |
| SHA1 | 1fe4c3b8ddadb32ff681876fd52f7603206b96cc |
| SHA256 | f30c4fb8ac06eddc7918aee90ac462a90ed025d44138c9c9c253a15f31a1a7d9 |
| SHA512 | 5c1ac71c5170a49e4477dbdfa0fed40c3e88db00301ab559e8b80217a4335a18d086e0d30d2a48bcefa7ed9f740a73f22619dba88cc8a4089d5ea16de94a7b98 |
C:\Users\Admin\AppData\Local\Temp\RESB6DC.tmp
| MD5 | 07ad441c8aaf09f21b8494b2917f9cff |
| SHA1 | cf12b6a539aa949546c86623b716e92f628f6167 |
| SHA256 | 995805866a9d3a7e02e53e305dd2466139ecd09da8d5158cb720178ee46254f4 |
| SHA512 | 0759a328bed3a4ad4a0dd2d4934c4bff7c9ec895627692c8dad21e25ff3d029aa67e93cfa7e9828a08ee57c08bda45a698b2deeeec33783f8fbeec10d905fa3d |
C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.exe
| MD5 | 001732e7d7026e54f46fa2290df9f84b |
| SHA1 | 29688c931ba0b071fec975e71be73c95626e8b05 |
| SHA256 | ac5c9580d0309fbfa108a824c305a850411b7f448a5bb4ca87f9fdc66e2ac6f1 |
| SHA512 | f0c15ccef4feca4cb14ebba7469895afba260a5dd37e9e4845e57295df35536541e9d35dc79d2493d3545eb2febc45b662cf5623924ee80dda34384e99532c6b |
memory/2776-21-0x00000000754C0000-0x0000000075A71000-memory.dmp
memory/2056-22-0x00000000754C0000-0x0000000075A71000-memory.dmp
memory/2056-23-0x0000000001100000-0x0000000001110000-memory.dmp
memory/2056-24-0x00000000754C0000-0x0000000075A71000-memory.dmp
memory/2056-26-0x0000000001100000-0x0000000001110000-memory.dmp
memory/2056-27-0x00000000754C0000-0x0000000075A71000-memory.dmp
memory/2056-28-0x0000000001100000-0x0000000001110000-memory.dmp
memory/2056-29-0x0000000001100000-0x0000000001110000-memory.dmp