Analysis Overview
SHA256
2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba
Threat Level: Known bad
The file 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Deletes itself
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 19:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 19:44
Reported
2024-04-08 19:47
Platform
win7-20240221-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe
"C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jc4u20th.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA111.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA100.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/1580-0-0x0000000074370000-0x000000007491B000-memory.dmp
memory/1580-1-0x0000000074370000-0x000000007491B000-memory.dmp
memory/1580-2-0x0000000000380000-0x00000000003C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jc4u20th.cmdline
| MD5 | ffbc924085d1899bed499150aaa2a904 |
| SHA1 | 64b7f5c83321d07e8cf0d96d2c42900ec9269069 |
| SHA256 | 72dc49d5e5c427239adc8755517352f1fc6e14c2178c30a1c56bd42fc1bc5769 |
| SHA512 | c9cf43ca349a784244dfc0969509e69d79abdd4d8206d42cbffb78e57b3ba986b5043d568184e9a1da561ba37fc04d72985192ba7a2641f5681fdc62012d6d9f |
memory/2480-8-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jc4u20th.0.vb
| MD5 | 4882f251bbcc6a181944aa6f8d58e076 |
| SHA1 | 7e4527ca82249c37c7542e796a6066c4741e0a82 |
| SHA256 | 0cd988fcefb3e745673aa11a762325cdfa990a3b8b820a4b12c0487afe58a75e |
| SHA512 | dec5f8b4fc7e1b9cdc02294de83517ead9b5c7560a01125bf56571444827fea3edfd640972387a574bb5768b8b8c24e9f9f15df179c30512644a3b9094f9241b |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcA100.tmp
| MD5 | 6a00cce1944f90427cc355bc410cf8ac |
| SHA1 | 24aabf1c957d08d99e51b839689e9b868f96ee2c |
| SHA256 | 1e74fc192037046a0bdd0928cf5f985650b2ef3a55a23e5a33ed9d9746f2dc91 |
| SHA512 | ebe47043aacbdc2ddddfffde75ee8f05dacfce9a4e6cac25b7e0b0819dc65d19e8f4c5668485c66feb766e3129a201e62f1e4d64d7caae97f6f636b3a1cad043 |
C:\Users\Admin\AppData\Local\Temp\RESA111.tmp
| MD5 | d098314cb303dc8da5ce342de7bd2b61 |
| SHA1 | 8f4e38ce6fe1b6399d3e209d35f08f10c5ee7533 |
| SHA256 | 5cca08c9630b1a9a434dc127b7d818f937d8b5be5cfb3a9083c343397883866c |
| SHA512 | 85a9bb3d565f3173258900e226085fe0708007af13bbd1563f9090aa61393014599f1283b59636a96e08d42c69ead422dfcdbfac6b0f6484d22e215c051e8cd4 |
C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe
| MD5 | a1e42933b9249d45f8564a9b7ece23ac |
| SHA1 | cbd16019d4e0ad9d898f7b493bc7627f0687cb53 |
| SHA256 | be9692991ee5295bfe385bdde3bf650df783b9aa7f43e85ab5772fb55e8f52cf |
| SHA512 | 7374e144c8728ca36bf76fb093139ca1e61f4abcc3ea4874a42980f42f04a487bbf6c3e8853cd18676d641bba0d8503d0b03a027dde0612c7768884fb87cfe59 |
memory/2680-24-0x0000000074370000-0x000000007491B000-memory.dmp
memory/1580-23-0x0000000074370000-0x000000007491B000-memory.dmp
memory/2680-25-0x0000000000B10000-0x0000000000B50000-memory.dmp
memory/2680-26-0x0000000074370000-0x000000007491B000-memory.dmp
memory/2680-28-0x0000000000B10000-0x0000000000B50000-memory.dmp
memory/2680-29-0x0000000074370000-0x000000007491B000-memory.dmp
memory/2680-30-0x0000000000B10000-0x0000000000B50000-memory.dmp
memory/2680-31-0x0000000000B10000-0x0000000000B50000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 19:44
Reported
2024-04-08 19:47
Platform
win10v2004-20240319-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe
"C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tlgmbvvn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ABE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc97A72AB2B14E44218E6EE5323D9CFEDF.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| GB | 13.105.221.15:443 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| GB | 13.105.221.15:443 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | tcp |
Files
memory/496-0-0x0000000075070000-0x0000000075621000-memory.dmp
memory/496-1-0x0000000075070000-0x0000000075621000-memory.dmp
memory/496-2-0x0000000000B20000-0x0000000000B30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tlgmbvvn.cmdline
| MD5 | 0b40a607d8594ca78dc1b33bed745035 |
| SHA1 | 7919530129690fa7be1c2d7c2907cb68986ac9b7 |
| SHA256 | f8f61091357e484f9e3d73c3916d29dd27ebce3823a412f5572e56e862f566dc |
| SHA512 | a5dd8e1e821acbc267637b6c9c43501590d111764587950a6f8b36eef369fb6bd63079658b76f3792a806ed33e95f68d3d8ba63f9179a4d6ff25bf837f2d09a8 |
memory/1944-8-0x00000000024D0000-0x00000000024E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tlgmbvvn.0.vb
| MD5 | 21ad08b33ec0d979eef6dc27946c6b46 |
| SHA1 | b97bb14303d9fbdb0fc4209bca6d7aaa48f1a5d2 |
| SHA256 | fdfe5eae7cebfef2f84a8bf6ca416a6be6d4392b079f1ebe120f6e80987954df |
| SHA512 | f6041c4b6677f177ec554aaded1aa9b6225088b6b51e27555982c68937643b3bc841b36ce101002ef961ce300bc8ffdb85c881cf8447159cf799f0a2090a15e1 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc97A72AB2B14E44218E6EE5323D9CFEDF.TMP
| MD5 | 530998809fda3e5823264c4f2c2bea8d |
| SHA1 | f325ebbc72e26a09a3c5776cd6aeee3a5c7e36fb |
| SHA256 | 0ec66fe7d64c9f355bd8de5a818e24f45b6cf66b7e6e206f8565670f378ca2ed |
| SHA512 | e7d69de193c5a774dc38fb89d2afa44e5a266275c320d8e0fc8d80ea48f902a29f9ba612dbe928a9262ec70a08d0a0a07dee757b95b45a4f7aeee864ad7f4573 |
C:\Users\Admin\AppData\Local\Temp\RES7ABE.tmp
| MD5 | 1b4e24b0423d285a49780b2d54e545fc |
| SHA1 | 9d7e9f97cab20e9783b2d6cffc5f7e9a2cfd2994 |
| SHA256 | ea53a778fa3faf7904e74ad719b5489795c114ea419c89a8df28e5bd7a205f9e |
| SHA512 | 81f3964363fcc267c3979996818b15f615ac214077cf49045f66044cb1853775f0e0e4a754dad46f36b89dce39e9946015f0316108cc44c3722954b05321301f |
C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe
| MD5 | feb1f1d9d0192ebae986f941630cbb0e |
| SHA1 | be7951231b94f24fc69958c7a4b496d35824a59b |
| SHA256 | 9a721c2c8cc049071b2f3322dd0cee8a9e3305baa310af1a27daef336caef36e |
| SHA512 | ab5d5e2d9842b49b5412abce2ada2d55d7d92f891ae4ad4942a1c560af4ffaf75edc159def83e7c89909b3fa095aaaf90dd2072cfffda1abfbd987234a3048ef |
memory/496-21-0x0000000075070000-0x0000000075621000-memory.dmp
memory/4036-22-0x0000000075070000-0x0000000075621000-memory.dmp
memory/4036-23-0x00000000013D0000-0x00000000013E0000-memory.dmp
memory/4036-24-0x0000000075070000-0x0000000075621000-memory.dmp
memory/4036-26-0x00000000013D0000-0x00000000013E0000-memory.dmp
memory/4036-27-0x0000000075070000-0x0000000075621000-memory.dmp
memory/4036-28-0x00000000013D0000-0x00000000013E0000-memory.dmp
memory/4036-29-0x00000000013D0000-0x00000000013E0000-memory.dmp