Analysis Overview
SHA256
cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154
Threat Level: Known bad
The file cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 02:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 02:49
Reported
2024-04-11 02:52
Platform
win7-20240221-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe
"C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9ddfn5pu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54A5.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2332-0-0x00000000741E0000-0x000000007478B000-memory.dmp
memory/2332-1-0x00000000741E0000-0x000000007478B000-memory.dmp
memory/2332-2-0x0000000000230000-0x0000000000270000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9ddfn5pu.cmdline
| MD5 | 698ec1e4144ae283b03d445864955e29 |
| SHA1 | 700b9faf70ee75fd2ef2fd33d0f49a6dda6b9f4b |
| SHA256 | 605e2f9400034ac9816e6490172c4e72ccdb18fbeaba07ecfbcc930fa02897b4 |
| SHA512 | 6ce2bb0fe1a92e4417d4cf42b0bdfcb141d5e01df4b9775f682f9dcd100e778c0679579a947e8e037638bf50d385ba94f3c87679e128b92f587e38cbc2e221a1 |
C:\Users\Admin\AppData\Local\Temp\9ddfn5pu.0.vb
| MD5 | 4ee33b7b7ecf0604aee8992b919826c2 |
| SHA1 | 42928cc8e0998e9f52767ca5e5dcb79376575d7b |
| SHA256 | f815b92bc1467bc94166752505702a12b6082fc5ac3c5eb542137f1962eaadb9 |
| SHA512 | 71788d515d22e3c4befb8b22638333620090637793ca2ed5842315855db8bd0384f0db7a0a5772e83b22c8a379f68207fa036b6696c26c1a8dd608c6e34ba957 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc54A5.tmp
| MD5 | 8a73fa1320be75170e7d89438992c0b3 |
| SHA1 | e9151193e15fe48dd85e06de95ae2c46dd68ace8 |
| SHA256 | d2f9f2e00b93d46b0af8ce2294a7dd541b414effbaec98d4b586a262409f169a |
| SHA512 | da6d5fa92d1312311342c7402aa78cef4a5affcc402d77b34a860c0cc9ada948ee0a90ab90c0d4703053e61a2da37a6b3cc88be3efe46f10981c4609247df84c |
C:\Users\Admin\AppData\Local\Temp\RES54B6.tmp
| MD5 | 01311a04c58d199f85e136206468fa3b |
| SHA1 | c92840e7683c7e398440822c1e384eb4091aa7b7 |
| SHA256 | fe2652c4877771d7ba1ccde87b1beec888c7f00be5340fd7c0af0f8195e4ba3b |
| SHA512 | a993300940ac5896f9b85d5d96a5282a21250761311d3d28a0f07e673d99dc16c372b4a3ad160cffa981f22b0f1982802c1ffa7be5e30becc08d8fee8eeeec79 |
C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.exe
| MD5 | a699fc5a57e52751d4353f25085c078b |
| SHA1 | 40a2ca7ff32a6c8556b6938ad4d1dc1ea81680de |
| SHA256 | be937497f57f75aa1b49c245850bd51bc32b66fbf6736617aab6ffbcfbe50b51 |
| SHA512 | 20fb28ec5500ce9d7e6eab3415162c7594ef7fc4c1ba603dd02c65b2bce7b4ab1eb3de125f40053f6633e4eb939d384e1ef9e83760ff9a65069df5e2cba5117b |
memory/2332-22-0x00000000741E0000-0x000000007478B000-memory.dmp
memory/2564-23-0x00000000741E0000-0x000000007478B000-memory.dmp
memory/2564-24-0x0000000000920000-0x0000000000960000-memory.dmp
memory/2564-25-0x00000000741E0000-0x000000007478B000-memory.dmp
memory/2564-27-0x0000000000920000-0x0000000000960000-memory.dmp
memory/2564-28-0x00000000741E0000-0x000000007478B000-memory.dmp
memory/2564-29-0x0000000000920000-0x0000000000960000-memory.dmp
memory/2564-30-0x0000000000920000-0x0000000000960000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 02:49
Reported
2024-04-11 02:52
Platform
win10v2004-20240226-en
Max time kernel
162s
Max time network
166s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA568.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpA568.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA568.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe
"C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0pwut-ki.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDD807EE983C349BAA544F0D7AD259972.TMP"
C:\Users\Admin\AppData\Local\Temp\tmpA568.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA568.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cbe963ced5bd1a9f1876d563a4d91143c3ba010f4d80b496d23872bb6d87f154.exe
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | tcp |
Files
memory/1936-0-0x0000000075070000-0x0000000075621000-memory.dmp
memory/1936-2-0x0000000001320000-0x0000000001330000-memory.dmp
memory/1936-1-0x0000000075070000-0x0000000075621000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0pwut-ki.cmdline
| MD5 | d2c3591c3002e7ac6018077ab9c20fab |
| SHA1 | 948a350383600bbefe79eb04351b43c48dbd0d28 |
| SHA256 | 8060ebab04a74d1bb5c195c51cdfb7d767dbe96acf12c0997dcfd671bc97cf71 |
| SHA512 | 872be4a70632251c1fc256350d2bf8f5a0669960f36de3866ad8e1692d6ef395561422f87bc64e0b6a35bf634a058db5882c476e45221c7d109d98f770b0c4e9 |
memory/3704-8-0x0000000000AA0000-0x0000000000AB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0pwut-ki.0.vb
| MD5 | 3267da79df5c027afed00cb142972936 |
| SHA1 | 71557b61bee553ed1888eb0bb5e10e24c7394e8e |
| SHA256 | a474209b2877ae473c2640b199cfbad1f2512633e1ced3fa255ddde1d12b4cc6 |
| SHA512 | 0bb54a5da9b8e9f1cd95475749db6ba63f8740dc53d7915fa7a0481e9309b1b4270235e93e2a3fae155dd7064f85086d56043eba51ed89194ea98b1134e4820a |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcDD807EE983C349BAA544F0D7AD259972.TMP
| MD5 | f3d1ceddd6d405ffa87d093f8a3e500f |
| SHA1 | 2d71d6d369697266ced8ba3c2045863b4cdbc0c9 |
| SHA256 | 836fe9019fe53fff0d87598c3a909fa7974a7388b3fb1108b167e9238994b911 |
| SHA512 | ee57f2392c48d8c2a56e5ec024f0c87fafea380ffcb556ab799348a8cb2fefe28600fc6d95751633e52c480eb0d06028561572e8542a3fb473650db1576918dd |
C:\Users\Admin\AppData\Local\Temp\RESA6FE.tmp
| MD5 | 0633e2710848fa0e6ed3e9f91db13df4 |
| SHA1 | 62725f80b52aab9d357d980ef41c163a55a44074 |
| SHA256 | ff7b1a4dedf28084b32201bfd36b3296e5bc1aedfda4245ec677d6c1710fb471 |
| SHA512 | 3c63f6f5eb13bbe9329306040836b4ddd09519af6df2b9740413b5c2775f32427af22a5800b36727bfc2d39ed48e7b1770cace6a174d401be60b8f4f3ff150d4 |
C:\Users\Admin\AppData\Local\Temp\tmpA568.tmp.exe
| MD5 | 6f2c9c65319553141b755cd740f6df22 |
| SHA1 | 989979383eb3047b09ccd0e11cb374b51263e198 |
| SHA256 | 8439f953d141e43ee0da23f85d05a6619bd119a369aab29d9b677935d18bda3d |
| SHA512 | 9235f9325c4e493eaca3142c7fe3c5d20e4deb2e07f387fa82696187595d06e0625dfa089cc0a688701f1d2e34279180fef686f88c815551751ddd7b40075618 |
memory/4116-21-0x0000000075070000-0x0000000075621000-memory.dmp
memory/4116-22-0x00000000016D0000-0x00000000016E0000-memory.dmp
memory/1936-23-0x0000000075070000-0x0000000075621000-memory.dmp
memory/4116-25-0x00000000016D0000-0x00000000016E0000-memory.dmp
memory/4116-26-0x0000000075070000-0x0000000075621000-memory.dmp
memory/4116-27-0x00000000016D0000-0x00000000016E0000-memory.dmp
memory/4116-28-0x00000000016D0000-0x00000000016E0000-memory.dmp