Analysis Overview
SHA256
1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a
Threat Level: Known bad
The file 1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Deletes itself
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 19:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 19:17
Reported
2024-04-11 19:20
Platform
win7-20240221-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe
"C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tbq-p7_x.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D97.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D96.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | tcp |
Files
memory/1692-0-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/1692-1-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/1692-2-0x0000000000070000-0x00000000000B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tbq-p7_x.cmdline
| MD5 | fd83d9fc5d521718e71b37afc896ee0d |
| SHA1 | 1729fc7b4f32705ed4f3bab1758032ae03272807 |
| SHA256 | 62101747b869e287d20e9c7f98bf450e2a798db69039cce0d3d90a42bd93eec9 |
| SHA512 | 6d3c10f97323ff081bf2ecf114ec7463a14e17c9b18d36ca36a525c2e11bb91149115caee281547124f4920fcf352a5ef3a95b8423e6126dd2cafd2efa7ff950 |
C:\Users\Admin\AppData\Local\Temp\tbq-p7_x.0.vb
| MD5 | acbbe96d9415ba0fd9e60fd4e0735e97 |
| SHA1 | 2494fc9b27066f8aaee54aa5a5ebf999ead5a7bb |
| SHA256 | 1c17bfa49a4c2943f414a83182d28c229aa224d0b22914d9bda153cf891a6830 |
| SHA512 | 6b65e5fd8bd7d07b76675a92754ef70880c70aa0531d4530b9445ed352bebb8bbf4d668797d070d271a073e4c02a6593f16f8418c5fe4fd36045bd0cdf54ac92 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\tmp2CEA.tmp.exe
| MD5 | 09252445d37dae6d98158434099a935f |
| SHA1 | 449991a5bae01c0c4e1f3139c11c148c65932dfd |
| SHA256 | 1722f485639057ea429cb42f0c5b44fb493aaa8f91aea44150a1676b95fe0ee2 |
| SHA512 | f4ffad86884860df0ee8134ec92d9303e3d6b51850e94da2c7e77797e03c896f289a312afb715a5b6f61dbddb8453cd38ba1e040dec8359501c2fc0d05f601da |
C:\Users\Admin\AppData\Local\Temp\RES2D97.tmp
| MD5 | 87a1a3f1493d0be1771dcf0a0052bf8b |
| SHA1 | 4f558a27309d018d293b8d8245c2c6331c66105b |
| SHA256 | f4b6fb0f26301083b4a1bbe85884db51e005dddf7b9633c9fb195243514e29ad |
| SHA512 | 2b3d931c6bede3dd280eaf8c096b51c0d09470aba0cfde5a8fd07c624e60d23ec4d26bd04fa42ac3240e1879aad42be620f24ddb4cfe59d678ff2ed0ff2251b0 |
C:\Users\Admin\AppData\Local\Temp\vbc2D96.tmp
| MD5 | b808d16ee5c32357c3561e07586eed17 |
| SHA1 | 54f68f2fce48aa1bb73646c6bdbc3f94bfdc858a |
| SHA256 | c52796ac119a40015126db66726122f35dcd24ec79727efa83d5c82ad2de6ae2 |
| SHA512 | d5aa031613cf043826add904e6a87d4c946207b43fe271a5346a191e6ea15fdd6e567c35a2d9d7eea311fd77eaaf03847bbc2678a8f86874712c46db92e5efc4 |
memory/2528-23-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/2528-24-0x0000000000180000-0x00000000001C0000-memory.dmp
memory/1692-22-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/2528-25-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/2528-27-0x0000000000180000-0x00000000001C0000-memory.dmp
memory/2528-28-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/2528-29-0x0000000000180000-0x00000000001C0000-memory.dmp
memory/2528-30-0x0000000000180000-0x00000000001C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 19:17
Reported
2024-04-11 19:20
Platform
win10v2004-20240226-en
Max time kernel
139s
Max time network
152s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp445C.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp445C.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp445C.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe
"C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h4yskf9d.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4508.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6A878C4E15D4E44B9E3727621291FF8.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp445C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp445C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1f492e2d5089b55778825d282b8e41687539cd4e322558b1e85acc678d5c2a1a.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/3064-0-0x0000000074720000-0x0000000074CD1000-memory.dmp
memory/3064-1-0x0000000000A20000-0x0000000000A30000-memory.dmp
memory/3064-2-0x0000000074720000-0x0000000074CD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\h4yskf9d.cmdline
| MD5 | 3e3f1ae67ceaee3d4de447e3c2f705ef |
| SHA1 | c2df63480144d55a3760924e24ff6bbbd01cc516 |
| SHA256 | 1a558a8fde7aeee636aafcf06b6066a390648f1be71f627e1d5f689ee92a8c07 |
| SHA512 | 53c919a4e6fd0c22b75198b9beb1577c797dec5673475f96b7149020e7e0e4242490f890008c25074cf9343da803272f91c57c2087bd94fd75a6209e1dce756a |
memory/5040-8-0x00000000006E0000-0x00000000006F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\h4yskf9d.0.vb
| MD5 | 88f56f7799e75ba444b25f4c46f114d1 |
| SHA1 | ee363f00fb685f2a0c69cca30d814a432be5c558 |
| SHA256 | ab5fd3e16c5babe1bda7d477716c8015fcf74ec4b7d16d8073be25d1067daed0 |
| SHA512 | 188aed61bcdfcc50ff8194af6ea2e35b19f2742003a7641597a2996bf2900b66d026e23c48945bcba17e527b9b565d66f21556294d05a73c844f0ede7aaf6e6f |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcA6A878C4E15D4E44B9E3727621291FF8.TMP
| MD5 | f85881a38d34c3a0af520bc976b42094 |
| SHA1 | 743fb9d9f2d13a63a40b3ba0db1bbd1faf8d2d77 |
| SHA256 | 3aa17f4bb630fd3ba61fea472bc61ca48323ae17381288d607638405be4b5f2e |
| SHA512 | 7171c258f55101743c19c968a691b790093fd796bbc0d176f238570579fd1866622b73263c13a256af4aed028f3dd500198c2e057c0bc18d76bb842b0b523cb2 |
C:\Users\Admin\AppData\Local\Temp\RES4508.tmp
| MD5 | b197d5832c67410f1ce745719ae04ba2 |
| SHA1 | 660edd094e8040c3416057bc2dc46d8ec887f176 |
| SHA256 | 49b7ba1cbbc2efc2cc3d242103016d2200ba612e1960c89b87b164b8cf4b0635 |
| SHA512 | 84b9f04b4016bc08bf8e2da1a94ad0e81a0d2290d6cb83ed20d2018b6f40a71a013243521f9baeac8f56aa354b4d67b66d1ed62bc6f039ec3cdc526c6a93065f |
C:\Users\Admin\AppData\Local\Temp\tmp445C.tmp.exe
| MD5 | 136f6bb0f797dca8f090ec0dcf20c99d |
| SHA1 | 40ed42ec7ee0e9244afcec1abebfe6180fb69e6c |
| SHA256 | cdfc2124c1ac3c3f4ae6d85787f86ab3b002e94543b138add1e22917cd92324e |
| SHA512 | 54424e8df0961ad4fb466c7abf46bd5d07eae8c8818997b142b01a025b6cd86b189d209ddf7d1996eda10621081d6d80576a9651fd98342914c68fdc541d4a69 |
memory/3892-22-0x0000000074720000-0x0000000074CD1000-memory.dmp
memory/3064-21-0x0000000074720000-0x0000000074CD1000-memory.dmp
memory/3892-23-0x00000000015D0000-0x00000000015E0000-memory.dmp
memory/3892-24-0x0000000074720000-0x0000000074CD1000-memory.dmp
memory/3892-26-0x00000000015D0000-0x00000000015E0000-memory.dmp
memory/3892-27-0x0000000074720000-0x0000000074CD1000-memory.dmp
memory/3892-28-0x00000000015D0000-0x00000000015E0000-memory.dmp
memory/3892-29-0x00000000015D0000-0x00000000015E0000-memory.dmp