Analysis Overview
SHA256
fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42
Threat Level: Known bad
The file fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 04:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 04:08
Reported
2024-04-09 04:11
Platform
win7-20240221-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe
"C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\px-ahfw1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7198.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7188.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2380-0-0x0000000074E70000-0x000000007541B000-memory.dmp
memory/2380-1-0x0000000074E70000-0x000000007541B000-memory.dmp
memory/2380-2-0x00000000000E0000-0x0000000000120000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\px-ahfw1.cmdline
| MD5 | 85b29a523ba931893d240c69a675262f |
| SHA1 | 279eb65f90622a3a548e5525c8a24a066178dc20 |
| SHA256 | b54cbafd61e7752e37b1434eda7d3b26a0a434ca9697a565379f5111aa5a832f |
| SHA512 | bd6df2755bc0a80a924d83babf27edb7a4e312fc7dce4fdf58342b72183125f68a28ebea9dfc9c8f46991c7fbd9cc070c723b2575e806d29c69a24a8b2c38920 |
memory/2160-8-0x0000000000640000-0x0000000000680000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\px-ahfw1.0.vb
| MD5 | 5476b370d914955329081456d649175a |
| SHA1 | eb2ed4d5a0975ef92aa06c8104c02b6eb9945951 |
| SHA256 | ccf052d74dc0f2002baf169e505306463aa279f3ab2180e4b838f3e167a6ef1c |
| SHA512 | 6e193bae518c6aef8e6d783d240d1ba09059a8e05e14734aedff3dec4fa8145b2a20a1588e9882507f49fd7ad2b1f45b78fabbfde1ba0ecd8e4901538c18be11 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc7188.tmp
| MD5 | 0434c8a74411fe09941a055c8e1fa7a3 |
| SHA1 | 145f2772c2ae3e284be729da4fb91dc7a018d50c |
| SHA256 | ed7e62d83b232e1e1e44246574389e798e83df0263a0fcaaecaf6c0f1644c0c6 |
| SHA512 | e39f95e97a4f5c55ac042e1f0c603f16edc6aa54f7f4f42932ec5f90ad6cba7cf980ef1753b3df124b4ffdd0921929e8858ca12fe0e4811a74ba83d40fc1f1e4 |
C:\Users\Admin\AppData\Local\Temp\RES7198.tmp
| MD5 | 9639cfbe7ac0a12e99420853b105ced3 |
| SHA1 | d628b3f44652130388ad1a4d1c9ec04a36abe311 |
| SHA256 | c96efe4c5f536bd59f28e9c246d5acb56cad9c95cda5fc1db1a7ae4cb482a347 |
| SHA512 | 9bcda157446c15c415ba7ada10aec16789c8c664634417e6cec63658264b8af674bb3af936ef08984776b982eb276ed1e9c2dc03476abdb873c0123e6a90b297 |
C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.exe
| MD5 | a46e9489a690a9379161333b3ce52b30 |
| SHA1 | e979b02b839bc0e4693ea9105ffb5ac34dd47821 |
| SHA256 | 21fc44d5bc5c15dc32c520dd0887b2f8a1f3369e45d1c4078f514a0d966a42e9 |
| SHA512 | 46ef6566a6a48a7609cac62c717111a1371f68fedb85a3cef5eef0acdcef90ff640e8916f98c67911c16f968ba0403a50b2b607dacb9d2c2de48efb9b40d5faa |
memory/2380-23-0x0000000074E70000-0x000000007541B000-memory.dmp
memory/2564-24-0x0000000074E70000-0x000000007541B000-memory.dmp
memory/2564-26-0x0000000074E70000-0x000000007541B000-memory.dmp
memory/2564-25-0x00000000024B0000-0x00000000024F0000-memory.dmp
memory/2564-28-0x00000000024B0000-0x00000000024F0000-memory.dmp
memory/2564-30-0x00000000024B0000-0x00000000024F0000-memory.dmp
memory/2564-29-0x0000000074E70000-0x000000007541B000-memory.dmp
memory/2564-31-0x00000000024B0000-0x00000000024F0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 04:08
Reported
2024-04-09 04:11
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe
"C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cxodislu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB036E4EEB0C44319D5A66D8B905D57.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fd971b19abf6d7c500d50ae8c0f781c1a25f1f48e7706f696db5da0b91f2da42.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/4500-0-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/4500-1-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/4500-2-0x0000000001470000-0x0000000001480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cxodislu.cmdline
| MD5 | e41fc44a590d9c3d5c078d7388d3ebd4 |
| SHA1 | e393dbd4cb5bd7241713d8f5d2b187d66340ecc2 |
| SHA256 | e02d0117aff4a0caf70b59d1ae83655b693f9e7da97d991a45ee1c85287c30cf |
| SHA512 | 18cfe565b9a8fc351ae53ebe2ada70f79170a9ce39db98b8cff4d9fea5d7bfdae5fa86f933f49551fc13e35022d07ef02f5a4a4796d38931c46f7a38076ef271 |
memory/1504-8-0x0000000000CE0000-0x0000000000CF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cxodislu.0.vb
| MD5 | 7f597925695a66055272d03f47e1681b |
| SHA1 | f0b7d7c797bb7e290470e4bc66f0547928b4c46d |
| SHA256 | bc69b8140a597338f09d9ee27bbc8fc4dd70ed51fd2f0791e2ad8c61916de145 |
| SHA512 | 6260ce459c6c908fbfce8b6c2f4ebbb22c22a7c5c16cee73d34eac201b2bd6576c42cd4f10a51e275710df8161de4eb7cc3dda2dbb0fdcde680ad727eaec8fe3 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcFB036E4EEB0C44319D5A66D8B905D57.TMP
| MD5 | ac1c1875526d2bb63e5b30446f2d3b4a |
| SHA1 | 6988757a6b4cd708b6d2b0e264f55e7eefa195d3 |
| SHA256 | 4a95ccde80d37bc2e7aa9c16ce1b5840dbe66eb4fc5cf4e1cb682873a56663de |
| SHA512 | 19e94bb259b95999d20629b3bc4825a327de758fa19fdd0cc4da2f4b8515b7afcb576f501bc32cfe09b5fad77db1b58366406d57b83ae42c5154af7fdd35cf4d |
C:\Users\Admin\AppData\Local\Temp\RES76F5.tmp
| MD5 | 1e626f0bbf56e36a72d2b208c32130d2 |
| SHA1 | 5807d46589863aa54a7839ed5a1088c04eb53877 |
| SHA256 | e875bcc1a890bb7b74f7bbc996e675c42461e6fa03312a1ebcb0462dce711046 |
| SHA512 | c0d72281f79785a2fb64c66d4ee2d8f92217649e06d1c26ea22c0c05ce073c163a6cfd22943a8d5910bbae7794de872c1aaca1a31c1562ed5659001d96740d8d |
C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp.exe
| MD5 | 1aee2cd34b0cc6d444c41b4eb621e5a7 |
| SHA1 | e06becadcd18269a588a16a5e19ac96559cf9824 |
| SHA256 | c8a6d00a3b172f77394812fb7520752a132017ee41113c2c97af2c362a4bf35b |
| SHA512 | b39fc7b769207394bb6a7f181bab35821eb063a11bfa57603b59af3c2f5a66797b3e230d96521bfeaa4f7e1ffc3906eddef161159e5de73894f2c2c55f267b64 |
memory/4552-21-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/4552-23-0x0000000000850000-0x0000000000860000-memory.dmp
memory/4552-24-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/4500-22-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/4552-26-0x0000000000850000-0x0000000000860000-memory.dmp
memory/4552-27-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/4552-28-0x0000000000850000-0x0000000000860000-memory.dmp
memory/4552-29-0x0000000000850000-0x0000000000860000-memory.dmp