Analysis Overview
SHA256
fa05c038ef0dc5e87cc5f0cc602caefdeaa99cfc11bfb04b992acd7b3f5332ed
Threat Level: Known bad
The file fa05c038ef0dc5e87cc5f0cc602caefdeaa99cfc11bfb04b992acd7b3f5332ed was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Uses the VBS compiler for execution
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 04:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 04:02
Reported
2024-04-09 04:05
Platform
win7-20240319-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp50CE.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa05c038ef0dc5e87cc5f0cc602caefdeaa99cfc11bfb04b992acd7b3f5332ed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa05c038ef0dc5e87cc5f0cc602caefdeaa99cfc11bfb04b992acd7b3f5332ed.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp50CE.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fa05c038ef0dc5e87cc5f0cc602caefdeaa99cfc11bfb04b992acd7b3f5332ed.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp50CE.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fa05c038ef0dc5e87cc5f0cc602caefdeaa99cfc11bfb04b992acd7b3f5332ed.exe
"C:\Users\Admin\AppData\Local\Temp\fa05c038ef0dc5e87cc5f0cc602caefdeaa99cfc11bfb04b992acd7b3f5332ed.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3ccz-kp4.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc52D1.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp50CE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp50CE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fa05c038ef0dc5e87cc5f0cc602caefdeaa99cfc11bfb04b992acd7b3f5332ed.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/1192-0-0x0000000074050000-0x00000000745FB000-memory.dmp
memory/1192-1-0x0000000074050000-0x00000000745FB000-memory.dmp
memory/1192-2-0x0000000000B50000-0x0000000000B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3ccz-kp4.cmdline
| MD5 | be0d1c5b25c36b4d0446f30692eef28f |
| SHA1 | 570d7e0e85f2545ae8acc3096faa88a69ef2977d |
| SHA256 | 7554aadb60c2898a572b5976246805d5ec08046cdcab12a9dff60b82f2c148db |
| SHA512 | 117f47a745b7138774c68e9e4296d6ebeb38e1451c7f6ccc70909e82454d712555a5d6288a5c39cb7b2542d52aed3b9915e48e8aa40201ee90dae46084b93a97 |
C:\Users\Admin\AppData\Local\Temp\3ccz-kp4.0.vb
| MD5 | ff49e653a882579815352fa33b4da815 |
| SHA1 | b5bb8a0fbbd3647c097ce7ed05b51329f1726179 |
| SHA256 | 829fd7a3b37c6e955156cf171fc1ac9f5034a8e76e621107d2a875006d0597d4 |
| SHA512 | 40cc5f3159b68044359b75d3aa4879f48cf5bbddf257132bcc05179d209ccce83a6c9107a3a19e9656b7eeae55637ef6831c798ec420192f326f0cf521cffb2f |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc52D1.tmp
| MD5 | 36050b5fda18ec88118058973e51d894 |
| SHA1 | 4f2ac3bc2a5780e004de32b86853cd7580c8918e |
| SHA256 | bd7a0e9786261ca067409bd756b840ca26d83cb1e952025cc486557a8ba52d9a |
| SHA512 | b4f040d5b882532e0efd4c7d732a23859b302b9fa1dc1c60547a6409703f6396698d0ad9a5fa7a0cd68da3099ac1c85bd19d72ac8e310fc65b5bf106282ce636 |
C:\Users\Admin\AppData\Local\Temp\RES52D2.tmp
| MD5 | 98367508bbc02e1d2941656fee783fc3 |
| SHA1 | 127087b158a5d0e26a631353dd50c9f047463dd2 |
| SHA256 | 3a378937f34d8766f3ec84810bbee31e9c26f5522467b1bc4a44e57a293424f4 |
| SHA512 | 22f0aca1a58837b9dc4a3d1c7bba126760753ad16e9e71e7c8d3a474dd122b60a8672e080d63c543c0355fda51605da17dedc141a1b2f2d1c6d8933a988c0b99 |
C:\Users\Admin\AppData\Local\Temp\tmp50CE.tmp.exe
| MD5 | 665768cb3573252bb1858272aa6f9942 |
| SHA1 | 0c085ccdf3e8ebe6e4f93b749a17713b7c2e9aee |
| SHA256 | 9f0a2f8b5477d1992cf2898867477cdbc2ed282e1caeba08473210515fef164b |
| SHA512 | 1adacb47fd00f36d6a4308b968de72d815952c26ede757728266c80038f7d3de9e361eb3909ab8ca1e8a1144e92ef886b0f4cb855a2ac1a1c3053824060ce3c2 |
memory/3016-23-0x0000000074050000-0x00000000745FB000-memory.dmp
memory/1192-22-0x0000000074050000-0x00000000745FB000-memory.dmp
memory/3016-24-0x00000000021D0000-0x0000000002210000-memory.dmp
memory/3016-25-0x0000000074050000-0x00000000745FB000-memory.dmp
memory/3016-27-0x00000000021D0000-0x0000000002210000-memory.dmp
memory/3016-29-0x00000000021D0000-0x0000000002210000-memory.dmp
memory/3016-28-0x0000000074050000-0x00000000745FB000-memory.dmp
memory/3016-30-0x00000000021D0000-0x0000000002210000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 04:02
Reported
2024-04-09 04:05
Platform
win10v2004-20240226-en
Max time kernel
163s
Max time network
169s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fa05c038ef0dc5e87cc5f0cc602caefdeaa99cfc11bfb04b992acd7b3f5332ed.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpBA09.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpBA09.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fa05c038ef0dc5e87cc5f0cc602caefdeaa99cfc11bfb04b992acd7b3f5332ed.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpBA09.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fa05c038ef0dc5e87cc5f0cc602caefdeaa99cfc11bfb04b992acd7b3f5332ed.exe
"C:\Users\Admin\AppData\Local\Temp\fa05c038ef0dc5e87cc5f0cc602caefdeaa99cfc11bfb04b992acd7b3f5332ed.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hd8tmqzn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC747.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB385FBAF4FE470C9B1D4928BFF6F0AD.TMP"
C:\Users\Admin\AppData\Local\Temp\tmpBA09.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpBA09.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fa05c038ef0dc5e87cc5f0cc602caefdeaa99cfc11bfb04b992acd7b3f5332ed.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/452-0-0x0000000074ED0000-0x0000000075481000-memory.dmp
memory/452-1-0x0000000074ED0000-0x0000000075481000-memory.dmp
memory/452-2-0x00000000012E0000-0x00000000012F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hd8tmqzn.cmdline
| MD5 | 8a415e48759de433076405f153d0a898 |
| SHA1 | 892daf245322f388ada2e151cfedfdad74161bc4 |
| SHA256 | 80cb9fb938fcf7854fccc1f20c62d1c38e01d0142843306eed6b0fd36ad3a9f2 |
| SHA512 | 80d22d6f3ceb35f2a3d170a0e6d8f163030457c5d0a0c2cc599f0bd65af3229e36cdfb08b620e74b68ec4a7f65ec063da67f1b93d322f7a31f21353d6bc356fc |
memory/1876-8-0x0000000002680000-0x0000000002690000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hd8tmqzn.0.vb
| MD5 | d70a4bbb8ad8e43ee19609220613bd09 |
| SHA1 | 2566645959bf7aeac6d4f7dd02df1914afbeb4f8 |
| SHA256 | 921eace047eac93c851092dcfdcc5b3ab94f31e5b2ac2217b1d8e699afc8df30 |
| SHA512 | 684f00628c618636a22c56e9e21a25f51587ea9586ba80e0a36eaf02b0a8871674556d3079c0d7c01917b1d65218c72afc100bea3ce77ce4cf3b4656a8d64e0a |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcAB385FBAF4FE470C9B1D4928BFF6F0AD.TMP
| MD5 | b8588d9b82ad456ba85ec88ff02f488d |
| SHA1 | ad2922a10f03c1c22427ad99632ebaa9c871bd3a |
| SHA256 | d5e1451456c3a94886ea75936417c6f10b2a9def16589ea28568d6ef26796813 |
| SHA512 | f450366ac1ef1f942bcb439a9f00781a39edc93906713148878f17f8730a724f588d5be09e82bba574c1e778b52dc0cca498a4636c583fe5c7e230efadc64f14 |
C:\Users\Admin\AppData\Local\Temp\RESC747.tmp
| MD5 | c066e29738d2c702dd862fa02fb24458 |
| SHA1 | 2d8fab7605199619a9a70faa76489c917d92f0c6 |
| SHA256 | 76501afec7d32194875495d9e41107d5ae3d4bde3a379dbe7a50f5bad35498a5 |
| SHA512 | a7eae13a236cd22e715bdb93b06a273561765d2b36f6a6954b614b2a8b533af1f7051d4a52a21c5f63b511a6079a16b66c41e510abf2e95d1570fcaeb9c4e750 |
C:\Users\Admin\AppData\Local\Temp\tmpBA09.tmp.exe
| MD5 | 4c15530316986ba7078c47936b3f7cfc |
| SHA1 | 18dfdbecbb1f259bb5b911ef465b7575ec970f67 |
| SHA256 | 6ff85e55937a53f6f8454c794746a37558674a5d148c791d53ce9bcb4789558e |
| SHA512 | 1a2178ae56105993be7d52c3b2442b3bec8ddfac5faf212634d0fa2cd0a63863394544daee429de18dda2ebd04855db7c98cf75b1e7c0175a318cb080630d6f4 |
memory/4420-21-0x0000000074ED0000-0x0000000075481000-memory.dmp
memory/4420-22-0x0000000000F90000-0x0000000000FA0000-memory.dmp
memory/452-23-0x0000000074ED0000-0x0000000075481000-memory.dmp
memory/4420-25-0x0000000000F90000-0x0000000000FA0000-memory.dmp
memory/4420-26-0x0000000074ED0000-0x0000000075481000-memory.dmp
memory/4420-27-0x0000000000F90000-0x0000000000FA0000-memory.dmp
memory/4420-28-0x0000000000F90000-0x0000000000FA0000-memory.dmp