Analysis Overview
SHA256
c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f
Threat Level: Known bad
The file c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Executes dropped EXE
Uses the VBS compiler for execution
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 02:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 02:17
Reported
2024-04-09 02:20
Platform
win7-20240220-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe
"C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gslckfb1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10A4.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2924-1-0x0000000000420000-0x0000000000460000-memory.dmp
memory/2924-0-0x0000000074370000-0x000000007491B000-memory.dmp
memory/2924-2-0x0000000074370000-0x000000007491B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gslckfb1.cmdline
| MD5 | a1e3baaef8dd1810a785cbba5f7169df |
| SHA1 | 3ad2bb238d31fd62e973ce953a8693123e687a72 |
| SHA256 | 7023982ff79d67ff6edad8200e66e821f9f9fc7db3c386385eba18101393ced0 |
| SHA512 | b99f3297ea646578fe148af61c96bf5bfda261daafff81545307e73b73c380018d942314377efb8aa46dede43b9597953ed1749208414fe61be08048eb61df98 |
C:\Users\Admin\AppData\Local\Temp\gslckfb1.0.vb
| MD5 | a51b2cc2281e84e277b88f3d59a8876b |
| SHA1 | 9058e550944e25621587ae06643cb3fac1dc9bdf |
| SHA256 | ee0dc9b6257b5d56683e5b5118752f8e094d50c05fc51c5a2a4cdb757ee2b2fe |
| SHA512 | bb80c82d5235c1cf09044be7d797b5ed0a73ae13f357d8ecddf6a87def2f96f5ba085c9c8d5c8f4b6a592d7e695c9a0b6cb3f829132cd4c7fcf7b67ca52f0b51 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\RES10A5.tmp
| MD5 | 284c52bdd29b694ee0f9214b19ba2184 |
| SHA1 | 67b18af547eec0f8ccddfba60cd7f2009675df9a |
| SHA256 | c083ab2b5b6c4175a0e2144aacb3d808870a0df774cd48a1c07a7cf71216b48b |
| SHA512 | 411c7d0733e29839efe29b7548a33f9d2373449f7bc7f0b5cbf7a9e66c1277d4398971652fd2c98d498111dea271b194392a8e5d20dabd405d945a3831b7c5d0 |
C:\Users\Admin\AppData\Local\Temp\vbc10A4.tmp
| MD5 | d979edef66b3df98dc9a0634d522bff3 |
| SHA1 | 5861bdec043fa120522dc8b3472773849082cf92 |
| SHA256 | 25db1340baaa4ddc94a040e59570d62424739c255d07cf4ef290e7c73cf94b68 |
| SHA512 | 1b849429cae3050e2085a2828df3ab5c6e621e654105c85566e1c91ecc72553402db57636264ed85d692d3d0c8fe5bad486fa2270da5e0ee35d8c365e0ceaa3c |
C:\Users\Admin\AppData\Local\Temp\tmp1027.tmp.exe
| MD5 | 0b17007c9b02a011206ff53f78b36c82 |
| SHA1 | c7555eeb46b08b062b3a777e9fde7e13fa5b8f76 |
| SHA256 | af6c1f76eacc1b96d7850042858d3325aec8adafca71e331cf1b5dfbb03f9afe |
| SHA512 | ca2d0fcb69682034709299d7de41dce097e5fffbbebdb4e5086762fff36d0a39369d3277541c41ce4d5ab31ee21d5f163104e9e1dee6b2302c151f906cbbaf75 |
memory/2732-23-0x0000000074370000-0x000000007491B000-memory.dmp
memory/2924-22-0x0000000074370000-0x000000007491B000-memory.dmp
memory/2732-24-0x00000000009C0000-0x0000000000A00000-memory.dmp
memory/2732-25-0x0000000074370000-0x000000007491B000-memory.dmp
memory/2732-27-0x00000000009C0000-0x0000000000A00000-memory.dmp
memory/2732-29-0x00000000009C0000-0x0000000000A00000-memory.dmp
memory/2732-28-0x0000000074370000-0x000000007491B000-memory.dmp
memory/2732-30-0x00000000009C0000-0x0000000000A00000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 02:17
Reported
2024-04-09 02:20
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
157s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp409E.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp409E.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp409E.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe
"C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3ijilypt.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4958.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C2F337376074A70ABA0D5227F4A1DF0.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp409E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp409E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c6aa5e4376e8a85afe781b0cba7275f68188d55f5fc34e1acf790e625321577f.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.187.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/4604-0-0x00000000750C0000-0x0000000075671000-memory.dmp
memory/4604-1-0x00000000750C0000-0x0000000075671000-memory.dmp
memory/4604-2-0x0000000000D50000-0x0000000000D60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3ijilypt.cmdline
| MD5 | 256279271b9a8ed728a6d99ab61cd52a |
| SHA1 | 6e96907a641e7203e466e945dc68fd4a608c258e |
| SHA256 | 2f4692f0befcd3502921442feb5c3c002e6fedffe6bcedc901d4b6b79333e60b |
| SHA512 | a5dbd869ad8f729057bb11fc0d392a3ede560dc610d152839df4c952332df2c8ebbe36cb4de6d6523ff62f25aa75c0d08706703ca3950a67828a6840734682cf |
memory/1008-8-0x00000000024C0000-0x00000000024D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3ijilypt.0.vb
| MD5 | 1c1db4bdbf7a36f80233c2342c7eaf3d |
| SHA1 | 06cbe7307636bee8985d0ad62296f481b09c4d6e |
| SHA256 | 2a2073f651af8edc46a1413e0cce8b70b3b780bafd72717ccca12ec1b57e94b9 |
| SHA512 | 772db3185d4c7b08e052bec9fdbf19557f3e855075bc4821215279108cd8350508f9a9b78c013acd92908ed7c6fff4b9e12934ffdf7cdf28f8b0bf60f3548ce5 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc9C2F337376074A70ABA0D5227F4A1DF0.TMP
| MD5 | 55df8a760691da0b3123e5d805652096 |
| SHA1 | 965f01c3e45bc874edab739a8562a003d26b6c3b |
| SHA256 | 0b9e58b4e98e337f6ff0bf1fec6e417ef04cb9f2085aa5a1eddfc0ff874ba878 |
| SHA512 | d024d3f7a85a2a7ff0d773b90f25ab89a7269d4791deeeb74cc40515e11661d78053048211011ba674b3bc0e9e8f2bab2628946808c6393e9d1e6b8afbbdd1f2 |
C:\Users\Admin\AppData\Local\Temp\RES4958.tmp
| MD5 | e7d2dbacdca9db6988562cbf44683450 |
| SHA1 | 724f2d0126dcf775b0474dd7a24a65000a829775 |
| SHA256 | 289654365566e5c588b5311ac58cd43abb6063a15a682abb3326481ad88235f1 |
| SHA512 | 25d19e585b579e1a3a842bf611a39de69c124eaf9c0e700556c42dcfd09af97aa9c1a3fcc3827ffb835245146ef279ceab7877f29ac49e771b7392f8a24ef7d4 |
C:\Users\Admin\AppData\Local\Temp\tmp409E.tmp.exe
| MD5 | 36c9130c2244e461360d9f777e122eff |
| SHA1 | a56ec0d8a87cf6be14baa314c99511e54d47c615 |
| SHA256 | 418382088e7dc1a93912923b6510937dda044ec258b397f8fc35271f853c9f3a |
| SHA512 | 624dccb947eefa6c6c2583aea8a7f9a96e54b1d43ce879092f3f2d304fce74af20e2b9d33b52e66f4cf73c3d11231a4ddcd8b34279908ac440b7034b404e12d2 |
memory/4604-20-0x00000000750C0000-0x0000000075671000-memory.dmp
memory/4604-22-0x00000000750C0000-0x0000000075671000-memory.dmp
memory/4632-23-0x00000000750C0000-0x0000000075671000-memory.dmp
memory/4632-24-0x0000000001470000-0x0000000001480000-memory.dmp
memory/4632-25-0x00000000750C0000-0x0000000075671000-memory.dmp
memory/4632-27-0x0000000001470000-0x0000000001480000-memory.dmp
memory/4632-29-0x0000000001470000-0x0000000001480000-memory.dmp
memory/4632-28-0x00000000750C0000-0x0000000075671000-memory.dmp
memory/4632-30-0x0000000001470000-0x0000000001480000-memory.dmp