Analysis Overview
SHA256
b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a
Threat Level: Known bad
The file b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Deletes itself
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 01:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 01:59
Reported
2024-04-11 02:01
Platform
win7-20240215-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe
"C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wugczifs.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AE1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1AE0.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2484-0-0x0000000074AA0000-0x000000007504B000-memory.dmp
memory/2484-1-0x0000000074AA0000-0x000000007504B000-memory.dmp
memory/2484-2-0x00000000004C0000-0x0000000000500000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wugczifs.cmdline
| MD5 | d89b5c48de5ea74b9c8a7235a778af67 |
| SHA1 | 125864f1fab174ece89b872e249e58680b8c3dd1 |
| SHA256 | ee18c30d10452c1d1dce36d5207c385d4eddd70dfa1a7b446b9048ba0a23f412 |
| SHA512 | 0f98379b58840e97836655c4021b758110f9c096e7be318c9f59854e8e7aeb612f657ed30bd47236c3750d443ac20e3d56e456976020c38be01d9d53c7ade568 |
C:\Users\Admin\AppData\Local\Temp\wugczifs.0.vb
| MD5 | f57009636b4d06606014e7b4a7dc1cb0 |
| SHA1 | 3813a628e74af7e5ad1510e10a3794d059acfb8e |
| SHA256 | c2de535d8a01aa0046e4a030f3509ce524056450d3f39631322869fc77725fc6 |
| SHA512 | 722a6ed348dccb6a578a50c82eb9da6454d30c3def5469ae6c082e670a9632d4d46261e752c3d5c022f0d1bcbf2262ab964fb95cf776272f8f85d11d861e2e32 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc1AE0.tmp
| MD5 | bd508733cd568487c7b25c38cc2e26fa |
| SHA1 | a3bdd2dbdaa0fdb1d841832be5d4ab2abb9a1747 |
| SHA256 | 8ca4fcce51d195d000b4d94a1539065eda2ee418c4022225f5a5807321cb9025 |
| SHA512 | 89db2f0fd5fe44c46359174aa490e81287a2f4ebfd9fee88155687f4365b17361f3384cfe2ff27f808d5535b81f6cd5a68d3966dfca64afdabdf0e7cb4ce77d1 |
C:\Users\Admin\AppData\Local\Temp\RES1AE1.tmp
| MD5 | adc9b0364417ef9839dce70a805a1c55 |
| SHA1 | cf8a6084002164a3ce745842bc1e5ce5a6778181 |
| SHA256 | f70a45cd2eb9f87aa681575892fe76b57aca1222c2e9820e9f2ab2136fbc1631 |
| SHA512 | 910fa041dea1fd3ac5f644c5d341037846bd9df6c9bd9a16a29b3e8ddf4fb127de527688cb14de0d1b5326b9c394cab7e50b7e2aa401a2e6cbb3b06d9d14ef52 |
C:\Users\Admin\AppData\Local\Temp\tmp1A35.tmp.exe
| MD5 | 3b0692d30cf8e27e48ac948567e25901 |
| SHA1 | eab944d4e11395900bb5903b2f314f68eb042fa5 |
| SHA256 | 953aec2aa5a608b0573e39e1238cb5ff0b129c2f98c6dfb92bdc6037891cc1aa |
| SHA512 | acfdf81e15e9789f74d81419a341e210db5ef6f1ab427fdfded8147f39777183bbc51f6536b535be0e320b522f847d16f537afdf17bdae95631e83c40fc4c05a |
memory/2484-22-0x0000000074AA0000-0x000000007504B000-memory.dmp
memory/2608-24-0x0000000000A20000-0x0000000000A60000-memory.dmp
memory/2608-25-0x0000000074AA0000-0x000000007504B000-memory.dmp
memory/2608-23-0x0000000074AA0000-0x000000007504B000-memory.dmp
memory/2608-27-0x0000000000A20000-0x0000000000A60000-memory.dmp
memory/2608-28-0x0000000074AA0000-0x000000007504B000-memory.dmp
memory/2608-29-0x0000000000A20000-0x0000000000A60000-memory.dmp
memory/2608-30-0x0000000000A20000-0x0000000000A60000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 01:59
Reported
2024-04-11 02:01
Platform
win10v2004-20240226-en
Max time kernel
162s
Max time network
167s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe
"C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vg1yvvsj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8ED2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A6EA494B1EF4BD2AF2CEAD19F5C3FF.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b4fb8920cd5ea8946bf7a6baa26639a979a245c964601ca0e7b355c1067b4c4a.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
Files
memory/352-0-0x00000000746A0000-0x0000000074C51000-memory.dmp
memory/352-1-0x00000000746A0000-0x0000000074C51000-memory.dmp
memory/352-2-0x0000000001170000-0x0000000001180000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vg1yvvsj.cmdline
| MD5 | 08b7fe54e9389047597883029ea4fdff |
| SHA1 | 3fb6f2d6d25c8383c72bae9681745609a288c6c9 |
| SHA256 | a28adf5bb8eee33c3c4ac535ce4dc6229ab4e8a34c9cd8baa11e8a3382ef0cf0 |
| SHA512 | dfeee00e38b4260b44770b1b762cf79e7d74633d55c3d99750dac886f98ede0bb4d4f1e992b6c7a6b83e57d28847479acb2fdf8bb03441ab44bedda53e57a2ab |
memory/4208-8-0x0000000002680000-0x0000000002690000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vg1yvvsj.0.vb
| MD5 | fde5a90b2433dceaa9edbfdd46b6ccda |
| SHA1 | 67d0021f9cf96356195174015952c8df65523a59 |
| SHA256 | e3af64e7c555ee610ed84d2ddb1f8fd4dc43e2b283aae03e757972b8bb50199c |
| SHA512 | 0bed78d9e0f4c221218c4074cde619f92820c5628e114d78d0c68f9b87e141971c94f74539a899272af1fc0dd36ed9b94bdeb7c8c4c1bc563707f9c63f6526d9 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc1A6EA494B1EF4BD2AF2CEAD19F5C3FF.TMP
| MD5 | 934d30669ceb83f23a9cc0328ba47fa3 |
| SHA1 | 5e933aa042721a1907a24c8d74aec959289787ba |
| SHA256 | 4aae529bbbf1883af235fe875e63104075387bfd4a884b59db649fb19c11d36a |
| SHA512 | 5e7147b6a17cffae4cd0388f766250e8bebb9510984098edae3091d683035412fc33b7564373e7d6b157f254faa362281ef64cd6265b53c087f6b4dddc818fde |
C:\Users\Admin\AppData\Local\Temp\RES8ED2.tmp
| MD5 | 389a87e9619e7736acf195a1cb05721e |
| SHA1 | e353db6f515464df804d0283cdb7e0204b7ad38f |
| SHA256 | 522cd729c9db23474edcd8f92dd81b6267847ef26893f9903964c7fc89d9e727 |
| SHA512 | 5e259f3c488eee6d2c26ff26c4e3961ff9faa10220f0e42a483dfdc73f99e57a4dd216c8dc31536b804a5873bc09c2025d8eb3207201611cc84d3d52debc1c79 |
C:\Users\Admin\AppData\Local\Temp\tmp8BA6.tmp.exe
| MD5 | d12cc6665e949ba38b2d9540e5729519 |
| SHA1 | b82135a42d712e80d7369fc6275a488c087485b6 |
| SHA256 | 5de6274f049206c3456f9c3ddc1f017aa77f4ef444110eea9341c762daa16220 |
| SHA512 | 2f794fce27bd63d3c205614ee72ecb8b4dff6894c3132b9888c6e72e5790c6e056bf72fbc8e9438eb64553ddada44531e1f4b0ec3d714277d28861cf8dcd3774 |
memory/352-21-0x00000000746A0000-0x0000000074C51000-memory.dmp
memory/1544-22-0x00000000746A0000-0x0000000074C51000-memory.dmp
memory/1544-23-0x0000000000910000-0x0000000000920000-memory.dmp
memory/1544-24-0x00000000746A0000-0x0000000074C51000-memory.dmp
memory/1544-26-0x0000000000910000-0x0000000000920000-memory.dmp
memory/1544-27-0x00000000746A0000-0x0000000074C51000-memory.dmp
memory/1544-28-0x0000000000910000-0x0000000000920000-memory.dmp
memory/1544-29-0x0000000000910000-0x0000000000920000-memory.dmp