Analysis Overview
SHA256
071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd
Threat Level: Known bad
The file 071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Uses the VBS compiler for execution
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 18:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 18:24
Reported
2024-04-10 18:26
Platform
win7-20240221-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe
"C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kyoijapj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2711.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2710.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe" C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2132-0-0x0000000074A00000-0x0000000074FAB000-memory.dmp
memory/2132-2-0x00000000000D0000-0x0000000000110000-memory.dmp
memory/2132-1-0x0000000074A00000-0x0000000074FAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kyoijapj.cmdline
| MD5 | bd1642efa0803d3b1996eab8689ed3c3 |
| SHA1 | 4ace649d6536dcc2bf367f262596c7e4f8f85f2b |
| SHA256 | 132a5ea28c76113dcfedbf0a1a7044d6ce12d785c62d196405345b8ffc94c366 |
| SHA512 | 3ac24cdad6ac779a36172ee7488243bcb2d9cbd72a8d7209329a7bf6ea0af145200c0c0c97a093cd54fe6aba8e5d6e12af1a6d2ece60acb4953f1fc2b3823727 |
memory/2572-8-0x0000000000750000-0x0000000000790000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kyoijapj.0.vb
| MD5 | 7f166286cd15a65a27c2c81cae07a325 |
| SHA1 | a8051deb0cfa168755627872ecf052dba7ecd30e |
| SHA256 | ddc73777ba9b7178952f784c691770cca1d0e5f7fb719ab85fbfda62b01692e0 |
| SHA512 | 47374204cad5d71fc7fdd7191aa7ff67b1391d05af7c6ce2439da2135232cd5fc8eab71aff3b3866331b739288787d1a8ad6fbd9b69db9c63133bbfe6f2e6027 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc2710.tmp
| MD5 | 5515fab6c292cae84a580d0d9c05e2df |
| SHA1 | 88b6865514e2668f02503a0fa05164aeaee88179 |
| SHA256 | ae2b9558f6e6dd9639d78994322f9ddf0c9e60921ca6988f270f06ff7559c269 |
| SHA512 | d039e122f342f53f82fc561a1c8f144e52d7eba176904582d1d2bf1be351d7b31da2533e823753e0b91482e21631a431a3bcad63d63a73c5b3391bacec3d3012 |
C:\Users\Admin\AppData\Local\Temp\RES2711.tmp
| MD5 | bc7f718df39961d0907d9ac0b2b3a405 |
| SHA1 | ed2dd5bf55f90305e83a3f708b2edf6aaa9e77ae |
| SHA256 | 0f1c7edb84105cb9c40368558c9f25d99d13fc9e5327ac96e371ce6b31743d3c |
| SHA512 | 93d81c9d6fdc46aa3a511bf9e5b7459e87ccb4398c311ee170f5c3d7ec36d4f23963434b8af987b24a24c906a8d12af9fd8c0bc7b62b149a8b7e67e04fa05441 |
C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe
| MD5 | 1067857aa05eb71d55db05b0989318cb |
| SHA1 | de9bb43e36c252957301ad43f78b8358ec3a54a8 |
| SHA256 | 3b07a4880dd51112864fcf8d005a5ce89c8e0e9b70736c2de54ee28d6923b456 |
| SHA512 | 6dcf19c1006b3466317b554da786feb3a025091724be1afadba70173c96bb6f14c52846aa94b167e55a0dc26ad6ba37b48b03ba903643c03cc170612d5dfc7fb |
memory/2132-23-0x0000000074A00000-0x0000000074FAB000-memory.dmp
memory/2824-24-0x0000000074A00000-0x0000000074FAB000-memory.dmp
memory/2824-25-0x00000000020C0000-0x0000000002100000-memory.dmp
memory/2824-26-0x0000000074A00000-0x0000000074FAB000-memory.dmp
memory/2824-28-0x00000000020C0000-0x0000000002100000-memory.dmp
memory/2824-30-0x00000000020C0000-0x0000000002100000-memory.dmp
memory/2824-29-0x0000000074A00000-0x0000000074FAB000-memory.dmp
memory/2824-31-0x00000000020C0000-0x0000000002100000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 18:24
Reported
2024-04-10 18:27
Platform
win10v2004-20240226-en
Max time kernel
154s
Max time network
160s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1EAE.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp1EAE.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1EAE.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe
"C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\07axwebr.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B70.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C334DDED914C0891754323614EE234.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp1EAE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1EAE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\071cb12ff099c2fe4ba11bb8815304cc7e2c9e2b198cd9415e579346cd13cdcd.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.201.106:443 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | tcp |
Files
memory/2296-0-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2296-1-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2296-2-0x00000000015D0000-0x00000000015E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\07axwebr.cmdline
| MD5 | 82f8b47b3ac1e3b1418e58a2747bce84 |
| SHA1 | 72998a1797f7aba714f1f4f3c084d71147d29f15 |
| SHA256 | 48598ec9ec3c69ecf5b1a676769fa31c8ab0854edf7879c8108bb2e44b65d47c |
| SHA512 | 0b2ae354c85670e5862ab51338eff3c92ea9f8f5c8876d51441972bc9a5460f762f95c4a3f4c47646d660afebf6b38fb3de2647533bd99868eecc90bb8ff8119 |
memory/4012-8-0x0000000000680000-0x0000000000690000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\07axwebr.0.vb
| MD5 | 125d62dd5c0c3da9e0b55cdd82afa6fa |
| SHA1 | 78d20aa110a5e47e89e5e2bed2ba16d080ec283c |
| SHA256 | 0cb6513206c6bb553fa91eedb42d3322302d1b2bdb6c1c7ac529a35cd8be5042 |
| SHA512 | e8f413bb2ce3a443542163f64181ef2fcad632ecd928d0ecb3028e3edc645de444e97bc608e80f417ad3de8394ca9eb3ae14ef995a79b9c6c481355effdb2593 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc2C334DDED914C0891754323614EE234.TMP
| MD5 | af2d1037c34574e25454cc7f7e180573 |
| SHA1 | f838aba1b1bddded28a9c63ca03d98a9dc3ff7bb |
| SHA256 | efc964f5f8bb954ce7233f76f7126802a4ae830a94de7b8033263f2ce9d3060a |
| SHA512 | e21afd2b66a514f0000aeb02304a78186bebd0b6ff4f181454434506181b30841c753f2195b0c17b530c05c84ad0dc608ea742e906e1225e4d459eaa6018a170 |
C:\Users\Admin\AppData\Local\Temp\RES2B70.tmp
| MD5 | efa9832990f552a00abed65d61dd6bd8 |
| SHA1 | 0b799a297c3472822931062160230580454f9bd7 |
| SHA256 | 40d3cfce1c655a4b0ac5c60b72894bf97b1c5ee5b6042dbeafc151694b3447e2 |
| SHA512 | 0ce9ad79ed476fc913763a22a63287b6c51efbe381a224b12c4aafe8918ef26de671f72d68628ff5243ee123f897d15237233e255e23e55fcce6492ff0ccfc2f |
C:\Users\Admin\AppData\Local\Temp\tmp1EAE.tmp.exe
| MD5 | 179e6502c10d7c6b434e4ccead710926 |
| SHA1 | b60e2cc07520868b85e3b703614d7747ba62f996 |
| SHA256 | fadf0df7446f600802893692ee545cfae6d85007125bb61f927ec5f4dd8a4c90 |
| SHA512 | 528ce77c66f45b3ff29515c56f448b82c9b09e5715f43e637a06e575272ac3078abdd4933bae7267ee1696a136f7fc30d6d77905178fa39fc5813d75ec65d18c |
memory/2296-21-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2564-22-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2564-23-0x0000000000630000-0x0000000000640000-memory.dmp
memory/2296-24-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2564-25-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2564-27-0x0000000074B00000-0x00000000750B1000-memory.dmp
memory/2564-28-0x0000000000630000-0x0000000000640000-memory.dmp
memory/2564-29-0x0000000000630000-0x0000000000640000-memory.dmp