Analysis Overview
SHA256
0c8f66821d843ff7afefec7d55e5a0c68ab1f5a828b6175b508c80972f184ebe
Threat Level: Known bad
The file 0c8f66821d843ff7afefec7d55e5a0c68ab1f5a828b6175b508c80972f184ebe was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Deletes itself
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 18:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 18:34
Reported
2024-04-11 18:36
Platform
win7-20240221-en
Max time kernel
158s
Max time network
168s
Command Line
Signatures
MetamorpherRAT
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA515.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA515.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0c8f66821d843ff7afefec7d55e5a0c68ab1f5a828b6175b508c80972f184ebe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0c8f66821d843ff7afefec7d55e5a0c68ab1f5a828b6175b508c80972f184ebe.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpA515.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0c8f66821d843ff7afefec7d55e5a0c68ab1f5a828b6175b508c80972f184ebe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpA515.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0c8f66821d843ff7afefec7d55e5a0c68ab1f5a828b6175b508c80972f184ebe.exe
"C:\Users\Admin\AppData\Local\Temp\0c8f66821d843ff7afefec7d55e5a0c68ab1f5a828b6175b508c80972f184ebe.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p_ksopiq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA68D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA68C.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpA515.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA515.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0c8f66821d843ff7afefec7d55e5a0c68ab1f5a828b6175b508c80972f184ebe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2744-0-0x0000000074A70000-0x000000007501B000-memory.dmp
memory/2744-1-0x0000000074A70000-0x000000007501B000-memory.dmp
memory/2744-2-0x00000000001F0000-0x0000000000230000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\p_ksopiq.cmdline
| MD5 | 7f11241f0d06de2fe13ab276466b66be |
| SHA1 | 23b70a19122bf2a84e09847c5d208a515316b493 |
| SHA256 | 55243bbb66230645ce8544071c0fa4a86bcddd7fbbabe4925d5a126047dcebdd |
| SHA512 | eb1b729a4b1bf9822ab9c9bd58026f866b5a4a1a0315a4e7d7b8dc9f5476b3fdd362897e3a10b96ff468c41943ded14f53de5b63b40492aed23db23813c78767 |
C:\Users\Admin\AppData\Local\Temp\p_ksopiq.0.vb
| MD5 | a5e951fc3dc7c6a9f30c1a8b5f42911d |
| SHA1 | 9789744cd0c1072e372105b391532d228b9e7cf8 |
| SHA256 | b3cd874583c5a033a9aa3c54181f6255b295628f89b51ec6013e8992a8d5e0c2 |
| SHA512 | 9d1b1588b7b2b592fa25ca9f70566e1e2e160b0382c8fbc4f7bde52d0fdf0164420139ff824be7cfea514dc98c3ddc5d75d0a378318390354da73a929192d10c |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcA68C.tmp
| MD5 | 2badf98f3422a8bc1cf2f1b725235339 |
| SHA1 | 9920f696422bf98c4581c8fb4a8779e108f5ac95 |
| SHA256 | c66617ce206fd70cdbf1e05937d280671defb417aa5c9bc7ddff04ec9507987e |
| SHA512 | ce214b01f52ce7fc89e67b8d4321d251877312c6e47ced7269ef3a21e8dab80c62460784f95ba4863a26f205f12c1f16cd36614cb9322776563a8c36a6e25df7 |
C:\Users\Admin\AppData\Local\Temp\RESA68D.tmp
| MD5 | 8b9b964abe485e3bab2fbffbc5f950e7 |
| SHA1 | 1b8edd2c3976f763c4c599923e84c77b14c065bd |
| SHA256 | 18ec19003076a43a5a43d9b9d85e97ada2fc186eac2a6d0c1e1c9b0a23b72384 |
| SHA512 | f2868c653269876461de2b4e0802ea416b3e45795cf987c4bf7f3bf61bd6223efe83cae53c92d84ccb99cb17c6f3914a326fc74906e0eca18391f2c7af5f3e74 |
C:\Users\Admin\AppData\Local\Temp\tmpA515.tmp.exe
| MD5 | 56d122f5cf93c932d0f0fb14a1920369 |
| SHA1 | 81a7474262a08465cd3b038e9742144ae58f8164 |
| SHA256 | da734e292d7262bf2246f6c00c3a6b8fdb96770f73d479fffe817b44b657eadc |
| SHA512 | c2a72eb3212566ccd18a24ef7ba21a7105a1ce820c573454e4a59f0628a3d095f1d22f1066093c9d74257a2c5f358fc2f6c5097508bd9e5bffd98313ba429419 |
memory/2744-22-0x0000000074A70000-0x000000007501B000-memory.dmp
memory/2444-23-0x0000000074A70000-0x000000007501B000-memory.dmp
memory/2444-24-0x0000000000360000-0x00000000003A0000-memory.dmp
memory/2444-25-0x0000000074A70000-0x000000007501B000-memory.dmp
memory/2444-27-0x0000000000360000-0x00000000003A0000-memory.dmp
memory/2444-28-0x0000000074A70000-0x000000007501B000-memory.dmp
memory/2444-29-0x0000000000360000-0x00000000003A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 18:34
Reported
2024-04-11 18:36
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0c8f66821d843ff7afefec7d55e5a0c68ab1f5a828b6175b508c80972f184ebe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6477.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp6477.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0c8f66821d843ff7afefec7d55e5a0c68ab1f5a828b6175b508c80972f184ebe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp6477.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0c8f66821d843ff7afefec7d55e5a0c68ab1f5a828b6175b508c80972f184ebe.exe
"C:\Users\Admin\AppData\Local\Temp\0c8f66821d843ff7afefec7d55e5a0c68ab1f5a828b6175b508c80972f184ebe.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ppv9tpha.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES668A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD121F9BD31FD4A3FB638E81FE3868F87.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp6477.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6477.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0c8f66821d843ff7afefec7d55e5a0c68ab1f5a828b6175b508c80972f184ebe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2776-0-0x00000000749A0000-0x0000000074F51000-memory.dmp
memory/2776-1-0x00000000749A0000-0x0000000074F51000-memory.dmp
memory/2776-2-0x0000000001190000-0x00000000011A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ppv9tpha.cmdline
| MD5 | bb78e704cf059e44c10009c523165ebd |
| SHA1 | e4ba0f73da55075cc837a1c4fba12b18b914951d |
| SHA256 | d75a4dc6e8d30729604580cc3746ed4096ad473569cab6bdccb96edc1a79756e |
| SHA512 | 1e49620b1b1a502798f194e02b25f8421ec63bcce774c55117932f3b9e10b564e849e24e59988c2a574944c48bcc8724a5f26011a2b94625efbd926685657acd |
memory/5052-8-0x0000000002430000-0x0000000002440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ppv9tpha.0.vb
| MD5 | 48aa11b95a4ff250d55b4b7cce638a3b |
| SHA1 | 2920258c2b65181de9a0e7d2f489dfd6c4a8cf5f |
| SHA256 | 6171dca0e4ca82259b5cc53f3d66dc9c0e88aacd09c63d709c75024e6e6a343b |
| SHA512 | 03958c7c8b61cb8a7e3564660dec16af2ba925b7c1261c3797b12b403e47194e99bd1f0f9d6f607c858816436737d1c5a21c0d93d1298ee156fe49cf119fd768 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcD121F9BD31FD4A3FB638E81FE3868F87.TMP
| MD5 | 96c2e4c8e70642d07e24a4bda8aebc25 |
| SHA1 | 864d531739ac68c033a2ff2c89d14a9a9daac5df |
| SHA256 | 5c58173737a7e2b40ee8c80c8e1eb2fcdd9dcf43eaaa11d519cbb07b9a62d279 |
| SHA512 | 4ff8e5d9fd3e69865a4dfd5c05e0f55f66b3f3d4e771e0e5cc4f6f9dfebf4aa5010e626cd883bfbfb92ccf0775fd9a6f0392a56fa17a09773040911e0b80bfe5 |
C:\Users\Admin\AppData\Local\Temp\RES668A.tmp
| MD5 | 75556a5c882b2979033be2a05d30a736 |
| SHA1 | d00e699d121971a6178857b2d4144073d991f0e3 |
| SHA256 | 24419bd58e399a6ab5a729b76c03459ff1a3837a24d7b720daf0428278fd04de |
| SHA512 | 715dbfc7e822769cbf940090bdc7cae260d6f5a741a7ae58feb950fde38e30021ca8c1ed625c2ffb60eb609b1890ac25ce7a7a469d0b49d11c0b808e203b981b |
C:\Users\Admin\AppData\Local\Temp\tmp6477.tmp.exe
| MD5 | c0c91e6ddc4a24a1bf151206f7195ffd |
| SHA1 | a6217396d51432b674a5dd599858c530ee75f186 |
| SHA256 | 91a22098a7e6e0076f170e1f1cc76fe01a1aea58a907c3998929e3c7d127d23f |
| SHA512 | c14960e13784637bdd7fb4e2a9f1df5004f4627b686cff28272c6b29faa309cd3b1bdd729bb8f0405b4e9b74eb221e134bb7b1eb554455c519c501c718a2d149 |
memory/2776-22-0x00000000749A0000-0x0000000074F51000-memory.dmp
memory/3028-21-0x00000000749A0000-0x0000000074F51000-memory.dmp
memory/3028-23-0x00000000749A0000-0x0000000074F51000-memory.dmp
memory/3028-24-0x0000000001000000-0x0000000001010000-memory.dmp
memory/3028-26-0x0000000001000000-0x0000000001010000-memory.dmp
memory/3028-27-0x00000000749A0000-0x0000000074F51000-memory.dmp
memory/3028-28-0x0000000001000000-0x0000000001010000-memory.dmp
memory/3028-29-0x0000000001000000-0x0000000001010000-memory.dmp