Analysis Overview
SHA256
bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4
Threat Level: Known bad
The file bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Deletes itself
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 01:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 01:44
Reported
2024-04-09 01:46
Platform
win7-20240319-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe
"C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xbrcrwjm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36C9.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2056-0-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/2056-1-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/2056-2-0x0000000000190000-0x00000000001D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xbrcrwjm.cmdline
| MD5 | c1c87d1628db3668afa4cc23f3a2d564 |
| SHA1 | 4f8423b15a614ac42d07958a782f346d30724600 |
| SHA256 | 27cb52399ce68c276b0449ede20c750759337ba5d6bc08f8c8b774c2cc1d34d6 |
| SHA512 | 4728af2b63d5439d5aab8f3ef2f25f5d9cfc85ec30a08119d9f9514558cd2b38b3f3d2524c863604d4261e9530560a952a684a99225fcffcfeb6efecbfcd7e06 |
memory/2224-8-0x0000000002080000-0x00000000020C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xbrcrwjm.0.vb
| MD5 | f46c55b6878355ade8ff0e87f577223d |
| SHA1 | dd2bdd4ec5e239b25ac79d9f68ea0226af9bae55 |
| SHA256 | 0420f7331ea5392e3664e44b8b7a2b13e172cdde15df43d71c2e7d8900647f47 |
| SHA512 | 045d889de0f519440db2b40b82790472d95670c683135d6644c0f1f06334df284198fc3dff8de69dfa6167cc061b70812389918f46115e13acaf03a62a5f91af |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc36C9.tmp
| MD5 | 6f3a2ecc71fc15051b5a2c6bd034f44a |
| SHA1 | 841fe25e569fa8ea6af7d3c78ab2a400733efba4 |
| SHA256 | b6bd3c72a57345964c9bdcfeb27bb07a77d63e599a2b04241cb8b45c61da5290 |
| SHA512 | 0fedd42471433e5b9faac1624f29d6c6c6f9ef302f488ee7234576cf4af3dd1810e25c44d527f6777cf2e062905388a1e098aa4e974fb53b4eba35aa66228a1c |
C:\Users\Admin\AppData\Local\Temp\RES36CA.tmp
| MD5 | 40def61c906d6b9232e8af5d1804b84d |
| SHA1 | ccf8a872557643e3076ce2ad3600221f3668c58d |
| SHA256 | d916119339d4da740b02daaa6566b3d11c53f76cdbe21bf18e1bb75850aa6d53 |
| SHA512 | 290d1451f7fc53daacb434b43dcfdcc251cc2a0bc689f49a652211df4c7b6a06990179c5f406a92f96dbed9eeadbcafe8b7a8b26aafa79f90e2c09cf55c589e4 |
C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.exe
| MD5 | 88f133acf1e180fbc0c243a360590c0b |
| SHA1 | d943716e5faa25cdc760ce5df284c2bb6fc10d87 |
| SHA256 | 24e8ae52427b97587291c09a5a184d22e6e5d339e9ff83f285a21251aeaa1b22 |
| SHA512 | aebaa84f9ac8a6f32e5a8283bfe3b274dcb3d276374af74571e987bee2f17bb088882da3c28587bbab2174680ae6df44ca86ddf6d4183f48dc88c234961cc207 |
memory/2056-23-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/3020-25-0x0000000000640000-0x0000000000680000-memory.dmp
memory/3020-24-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/3020-26-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/3020-28-0x0000000000640000-0x0000000000680000-memory.dmp
memory/3020-29-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/3020-30-0x0000000000640000-0x0000000000680000-memory.dmp
memory/3020-31-0x0000000000640000-0x0000000000680000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 01:44
Reported
2024-04-09 01:46
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6263.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp6263.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6263.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe
"C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\knhp8dvp.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDFE88762A37D4EEBA55B71EC8A82C26.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp6263.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6263.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bb54225c23d52ba823f738badc4590947be7cc8fee5d98a18a1948b2ac99bbb4.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/1252-0-0x00000000749A0000-0x0000000074F51000-memory.dmp
memory/1252-1-0x00000000749A0000-0x0000000074F51000-memory.dmp
memory/1252-2-0x0000000000EF0000-0x0000000000F00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\knhp8dvp.cmdline
| MD5 | 2b530c149de5da6b6595f55e1392a2fe |
| SHA1 | 96371eed71dd0f7cb6bbbd107ce469a50325f094 |
| SHA256 | 990487debd4ed2a952b95f9b2ac5217950eef5dda94319d585fa890904ae922b |
| SHA512 | 128795b011b50f4aa13b443ec88e79a17a3426a3f4e73dc1ac27876716888c86e579847f2beade74dc718e53298207ecafcc2307f218364a77a3df4f803b3989 |
C:\Users\Admin\AppData\Local\Temp\knhp8dvp.0.vb
| MD5 | 8b21dc7ba1c92eb6f57c021dd15b5ed4 |
| SHA1 | 3b153035cbadf1defdfc9ee095141181620e244b |
| SHA256 | aa048b07b6de068efbe12f8014d4fa3f6eb369adc93777c2d70615b1bd8768bc |
| SHA512 | ededa352133cafe9486b58bcf95dede456abd70813a905a232a7bc9d97baff63abec203c267c185f9fef317bb51205041de21b7200340329110fdd0f319f2aa3 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcDFE88762A37D4EEBA55B71EC8A82C26.TMP
| MD5 | ea0fee970814444022e7f5dcb6eca796 |
| SHA1 | 8442db36aec5a3c5d90ad7575d8c2473fbcf2e5a |
| SHA256 | 6ec45616458fdc27a9140b8358d4e081118b5d21755fd4091da9ff917b6c2853 |
| SHA512 | fd9e17b8d2e60adcd314cf5038a4b85e68c40d671e87f4a53fa17ad4c33fe889f468b60c84f8fd1b7fcbaf1353545ebf202f6c736ee2f914dea50ced03ec3f70 |
C:\Users\Admin\AppData\Local\Temp\RES63CB.tmp
| MD5 | e09f8d68dbd3b3bbf2e58c51d7ad61f5 |
| SHA1 | 83607c15aad2e4c537302ea3adf0d6553123ead2 |
| SHA256 | bad7a01b3b11557308154c5e9bf39fbf1dd2d612d69c8b107e8ea2ad98433beb |
| SHA512 | 74340022e9b1acf53d6921b44c50bbc89a1e8a3b5b1824e89b6116315624e3b90026fa69ed00c993631f2bf87c873fd28ec0e9c303763ec4ef22015ba967cf52 |
C:\Users\Admin\AppData\Local\Temp\tmp6263.tmp.exe
| MD5 | e04e40515e89bae3bc8ca8f48bdae7c8 |
| SHA1 | 35350fa796b5c58bd038c3d9e58241e7393eda44 |
| SHA256 | 22dc70cbd9a9c4afae62704b8799688100637ba72e16da5d100705e86fa82389 |
| SHA512 | 6492b9eafda5be39ac2a89ff4b4ba7dbaee66e30d896b638ea2663fa20d46d75ac9a5b4e64754f0068a439564a814e7f96974431d312b53ee698af897edf0cae |
memory/2464-20-0x00000000749A0000-0x0000000074F51000-memory.dmp
memory/1252-21-0x00000000749A0000-0x0000000074F51000-memory.dmp
memory/2464-22-0x00000000011F0000-0x0000000001200000-memory.dmp
memory/2464-23-0x00000000749A0000-0x0000000074F51000-memory.dmp
memory/2464-25-0x00000000011F0000-0x0000000001200000-memory.dmp
memory/2464-26-0x00000000749A0000-0x0000000074F51000-memory.dmp
memory/2464-27-0x00000000011F0000-0x0000000001200000-memory.dmp
memory/2464-28-0x00000000011F0000-0x0000000001200000-memory.dmp