Analysis Overview
SHA256
a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f
Threat Level: Known bad
The file a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 00:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 00:49
Reported
2024-04-09 00:51
Platform
win7-20240221-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe
"C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lw-jk5w3.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D47.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D36.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2208-0-0x00000000747E0000-0x0000000074D8B000-memory.dmp
memory/2208-2-0x0000000002030000-0x0000000002070000-memory.dmp
memory/2208-1-0x00000000747E0000-0x0000000074D8B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lw-jk5w3.cmdline
| MD5 | fb1c2cbc19c23ea533659e14c1005bc8 |
| SHA1 | c90a648a1e14393a2c95838fdc53971db42258fa |
| SHA256 | 369c5a832c5c07f31a9586d25060ad437ec337d9e1ae0c24828f006da93d05c8 |
| SHA512 | 9f4ecb8d6fb6ec4f96cb29db1cd8124f206bf574e0b2d4466c7392f7cce0901b93234b7f530f95c31a53fb14ef51e75cacf72ba2171f23c3fbe6f91d207f2324 |
C:\Users\Admin\AppData\Local\Temp\lw-jk5w3.0.vb
| MD5 | 6cf0a9485f36cfd64d7d8cd56f84ccd6 |
| SHA1 | 501185e02d2009f5e7ab134470ed5027ec71c617 |
| SHA256 | dd07abf561e5998804796c116e821b925061ce03de1535a70a9d61b08e7ff56f |
| SHA512 | 7d18b763b2fbff71d237e1397e5ca1b916a9e069a445c7375fbdf6997328299c7bd0efb286015eabedca061ab6357c1248109b2fa89fd6ba041376942f55cdd8 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc4D36.tmp
| MD5 | b98e079761d2dc73bcf7675bb272bacd |
| SHA1 | dd03d30a8bb4ab2a09a5e739b40bd97648c5098d |
| SHA256 | f657fb8c6c316cb4dcb4ecb0170cdf4437a31f3e08ff737b755984eea87a2a35 |
| SHA512 | 278e91f4264c9c6d2c3e0ef58df428bbda1bd2279dfd0562560ba0c6c4b02a2d5b07baad4b29d1a32c2e4b3b13a0a518b8611044b6e6d0dcdfc868cd06a73f32 |
C:\Users\Admin\AppData\Local\Temp\RES4D47.tmp
| MD5 | 55eaa7613bea5b99569a8f50319ac3ec |
| SHA1 | 8a52b810fb2f5cd105da2e51a71a1984a7867c5d |
| SHA256 | f12eb0ce3185562ebe17d6736380a7dcf86762be700da34aa011fcb031060f59 |
| SHA512 | a104c89324e8e9702982594c0a36ad9ee833e99735bb3332c37a4432d3d1c8d37ee0e603bff749e6a47d4edeb75638faf911c65594a7f25026e74dfeea8e5466 |
C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe
| MD5 | 5c7f75ac227b53670db1af6e21e195cb |
| SHA1 | 0db3017524b890089f98a416a8ee36e4a74f5068 |
| SHA256 | ef7c13240043a54500bbb52f477e216ff17944f4123d04d1c4ca450eeb8fad71 |
| SHA512 | a935bba635e50f0bceb02fe38716ca604184d398d29272eeb6b897488cf2418c325d1a6bdc81f39cfbba4031af57ab112dd7aa46628ab95913753102fa4b4ec2 |
memory/2208-22-0x00000000747E0000-0x0000000074D8B000-memory.dmp
memory/2724-24-0x00000000021C0000-0x0000000002200000-memory.dmp
memory/2724-25-0x00000000747E0000-0x0000000074D8B000-memory.dmp
memory/2724-23-0x00000000747E0000-0x0000000074D8B000-memory.dmp
memory/2724-27-0x00000000021C0000-0x0000000002200000-memory.dmp
memory/2724-28-0x00000000747E0000-0x0000000074D8B000-memory.dmp
memory/2724-29-0x00000000021C0000-0x0000000002200000-memory.dmp
memory/2724-30-0x00000000021C0000-0x0000000002200000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 00:49
Reported
2024-04-09 00:51
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe
"C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wrkveqmm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES349D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4BD3FFD73D694E2F97E06652B7CE8E12.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/4756-0-0x0000000075480000-0x0000000075A31000-memory.dmp
memory/4756-1-0x0000000075480000-0x0000000075A31000-memory.dmp
memory/4756-2-0x00000000014A0000-0x00000000014B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wrkveqmm.cmdline
| MD5 | acabb575e424fab627f55e96e319e5af |
| SHA1 | a40299a221e25146203ae2fa44af8c5bfe6368b7 |
| SHA256 | 8f8ab63b373d7db985e815e08d02db9dd7eb8b034001419d6197c84f85acb637 |
| SHA512 | fa4f429df09c7183441556f1e008adaf271c516ff25ea44a9c7b37dd07b636677f9cfd3169d925f7848962336fe481ec56473fbc62e30b2776dd9f75a83a7d63 |
C:\Users\Admin\AppData\Local\Temp\wrkveqmm.0.vb
| MD5 | 14f27bf1279da7493410456ae6eb48e0 |
| SHA1 | 385c6a4330f44745201455080bd65ad96e7fe998 |
| SHA256 | 0d3d11ec8050ebba969722750ac68abbc494d2c82222df1186417a41d8d59d88 |
| SHA512 | f09a3ba9cfc29a5ff1e8ded71459fcd0cbfe0e4a02b8b6cbafb893b18448870eb7971ddcc36e7e3daa9b4ddf38e93db3050c51c2fba7418af4d4f6704e0a64b9 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc4BD3FFD73D694E2F97E06652B7CE8E12.TMP
| MD5 | 39b4288ec22c4563b1d0e0c722c8380c |
| SHA1 | b275f3a1ab0b8b61e3988f99217abc8879bb7d84 |
| SHA256 | d5c863d76883676b97f834ee1573bcba0647141c50d3a97126281ca2c4c17978 |
| SHA512 | f0aae44531955f56235a59b3b8ec5b1e8cf81ce72415078bdbb871cf943f723aedd1680cff4b5d033d467804bb053dc7428051ec8c9d5a80eddc6dabfede4984 |
C:\Users\Admin\AppData\Local\Temp\RES349D.tmp
| MD5 | 0ab7e9927132a322ffad07d6836f9bf0 |
| SHA1 | 319900f331d984609b42cc31ecde139677ecc5d3 |
| SHA256 | 1f3ae11edb5b340efdcba1c5ac4533788d5eb1911db292465c1f068ee2d66866 |
| SHA512 | b231f5b1032a4409b369b868b499c4be18ee50e7ddc2ad4971f3c2d52ad171d792f5cedb2ba70e3c3b72e060043fd43c4e4f8d28451146d60f93594b30b7faef |
C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe
| MD5 | 7a589baf691c2364bf44a91de07f3006 |
| SHA1 | fa4397119f14c5e585701b5d2fdfb41980597cac |
| SHA256 | d0a45988b38d5ab15d9df72340ac5709086bcb375919790464d022233aff04a6 |
| SHA512 | d790fd27e7b007d597b1073862d9350ba4d769d3dca7ff550a2d688e87a65465c620222aa48a9d5600c0de53042549b788500311b00228c62907144301fd1877 |
memory/4756-20-0x0000000075480000-0x0000000075A31000-memory.dmp
memory/3272-21-0x0000000075480000-0x0000000075A31000-memory.dmp
memory/3272-22-0x0000000000E60000-0x0000000000E70000-memory.dmp
memory/3272-23-0x0000000075480000-0x0000000075A31000-memory.dmp
memory/3272-25-0x0000000000E60000-0x0000000000E70000-memory.dmp
memory/3272-26-0x0000000075480000-0x0000000075A31000-memory.dmp
memory/3272-27-0x0000000000E60000-0x0000000000E70000-memory.dmp
memory/3272-28-0x0000000000E60000-0x0000000000E70000-memory.dmp