Analysis Overview
SHA256
2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa
Threat Level: Known bad
The file 2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 19:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 19:44
Reported
2024-04-10 19:46
Platform
win7-20240221-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe
"C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bm_bsgxk.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc22AD.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2320-0-0x00000000741C0000-0x000000007476B000-memory.dmp
memory/2320-1-0x00000000003A0000-0x00000000003E0000-memory.dmp
memory/2320-2-0x00000000741C0000-0x000000007476B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bm_bsgxk.cmdline
| MD5 | d931a535563cd6f3fbfa68bac6909c0b |
| SHA1 | 7fcb224a9f105c158aba70dda018a471a9bc9088 |
| SHA256 | cec6be495ce901440c66421cebfedd39b09a1c09a1b4051394b54d12a7b19fa3 |
| SHA512 | c731c9fd6ba2bdf40ddd1475ad763b89849caa0a15cb26fcfd432fc27c8cc8e18126da3043cb4eb3d1ee01c08934e1fd6a8bab63e1fdcd79124a028f087023cb |
C:\Users\Admin\AppData\Local\Temp\bm_bsgxk.0.vb
| MD5 | 9d1612ccc8a72cfded5fa7ec9fabc0da |
| SHA1 | 2bb4d8ff2d5a244a56ed0f2efc8a51c670aa772d |
| SHA256 | f3017413c9ffbb30ebc12bf016162f8245440d182bad5ef52bda1ab16d5c387b |
| SHA512 | 1cf791a1b46ddc2a7067a8f9163f09b259fa4c87c3c0d72ddc0122b9593d59f6ab7c94de831ef23d3b1f4852deea422bd2d0335106e89e563dd0b18aadd60619 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc22AD.tmp
| MD5 | 7450775cbd03f82cf86939e971e28df6 |
| SHA1 | ca775221de8c8a288112565d8ab6f3878551dfc7 |
| SHA256 | c5ce81245e612960390865f679449110195af7d2b63a9b3dacc7caf7ece01be4 |
| SHA512 | 5d5f9748f353803694bb022ed6ad7c412c52f098d863141e0c7338612adf020f5e53634856a293622585d886660a634cbb5311bc3adda55c308be98318c0bf2a |
C:\Users\Admin\AppData\Local\Temp\RES22BE.tmp
| MD5 | 22a2122c1630ef78909e82e2b4573c9a |
| SHA1 | d4527a0e6edf17bb9ca238d6c3fcc674cb1250dd |
| SHA256 | c98e5d2eda6a8499f27cd5fdf4ddf4e4813714a82ef187da51ce3637153286fc |
| SHA512 | 643afa5b2a5b05fc9028fde03fee24e770140585b68b352ae8ddfd70d4948a30df43b5b7f9ab1b1c892560b6b58467749c336b5d4cd7a60dd74f87647972a258 |
C:\Users\Admin\AppData\Local\Temp\tmp2221.tmp.exe
| MD5 | f2c894574183d897efefa4090c06a6b1 |
| SHA1 | 6f7db1820174463a293bdcff603e2f55cc306fe5 |
| SHA256 | b6398d8ceb0481b47282fa42a650e639fdb42eedd1f7615ea52e48f5307c45a1 |
| SHA512 | ab4423d197e95b0bc8609adae23821e0692cd9de74eb152b75c0ed37d12ec8c310061fa940e5552d0884c219035c993e4f5e33d78428538b327d5292df6d20bc |
memory/2320-22-0x00000000741C0000-0x000000007476B000-memory.dmp
memory/2036-23-0x00000000741C0000-0x000000007476B000-memory.dmp
memory/2036-24-0x0000000001FC0000-0x0000000002000000-memory.dmp
memory/2036-25-0x00000000741C0000-0x000000007476B000-memory.dmp
memory/2036-27-0x0000000001FC0000-0x0000000002000000-memory.dmp
memory/2036-29-0x0000000001FC0000-0x0000000002000000-memory.dmp
memory/2036-28-0x00000000741C0000-0x000000007476B000-memory.dmp
memory/2036-30-0x0000000001FC0000-0x0000000002000000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 19:44
Reported
2024-04-10 19:46
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3E22.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp3E22.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3E22.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe
"C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3ikqlgjt.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA707452506E417491E7BE378B7E97A.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp3E22.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3E22.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2629f2bc5858bc67c11abec0541d599efc77b78a9e4964032436a40f12f269fa.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/3320-0-0x0000000074A20000-0x0000000074FD1000-memory.dmp
memory/3320-1-0x0000000001420000-0x0000000001430000-memory.dmp
memory/3320-2-0x0000000074A20000-0x0000000074FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3ikqlgjt.cmdline
| MD5 | d4d7e6883afa0a2350f64d02c6cfab9e |
| SHA1 | d947222b01d0d8a1f4e32e07e73bbe41ea9ccfef |
| SHA256 | a1a6a670306019bd662827b8066573761496725572cec18cf55dc876c0f85cc2 |
| SHA512 | 9c9c00116dea53fe74e7dd8090ddcbadf8ea87f51ce95eb83027a275445d2ba6ed9e65380750526ed60ab05cdc954dd4ab1738702b5c472b7826d204041bc69f |
memory/760-8-0x0000000002580000-0x0000000002590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3ikqlgjt.0.vb
| MD5 | 014933ad9788865788e4686bdc586182 |
| SHA1 | bbef1a01851d23bdb56e24bde749c660d55833bc |
| SHA256 | a66c7d407a2f4635ecb2444f385cf6469081fd21bb91e2a39f7f046f17374f7a |
| SHA512 | cab30a990d7c5cea6f80e20288f53f2505efd028f857b6956f7980369073af62d4e3f707f8f433e683d5de3f0e43a31ef61e8a84c6fe5ff8ffbc4f06e7745e74 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcCA707452506E417491E7BE378B7E97A.TMP
| MD5 | ff460d2d5373e4746d499f92fce12973 |
| SHA1 | c2c5532ee338d15015eff3b93c3745acc66173be |
| SHA256 | 0f9ee87eda344cc2e2e1ef7917aa92494de5bfa5de97b224b56a0a60592d096e |
| SHA512 | 4b95923d4f7d6895c1c09b4ee777752c5d2dea045bad4005717e1892a6c6e1cc76673a39517614e9a9633ff43212ef8a1ddc01ea6a3d3a13325d1dad1820b812 |
C:\Users\Admin\AppData\Local\Temp\RES3EFD.tmp
| MD5 | bd3c298f6d895b9c67b8b3c592a53443 |
| SHA1 | cfd4c5ea9698a7a00024589dd6ee35cfb2ef46d0 |
| SHA256 | 7551ff46594b8907b2ddcba4d8aceed3338403812a28baa9c2df2bdeb9e93210 |
| SHA512 | 7f7c1ebfe6631b77136626d5204ec6d9ea88e2afb5bcbe5a389af9cf2e5e46b15c3093ff4a9ebbf683557dc5b658427a781c7bea5790945cc1527c57780b3716 |
C:\Users\Admin\AppData\Local\Temp\tmp3E22.tmp.exe
| MD5 | cbe62edd92d5054a1f25efa744b4daa4 |
| SHA1 | 50978fac9c188dd1fcb49f06fc45ab6a74eb3544 |
| SHA256 | 3467b3cc823d7159632cb946baaf36b78b25e12f56bc78953008b3f123e58cda |
| SHA512 | f6899741538ebace6bc6876c84cf73d6bb86f45d8b29b506a097439c24967a371912d9781f0016749b1b1ce927faf7e936e00f66e0432c0a530bce175a5e9086 |
memory/4656-23-0x0000000001770000-0x0000000001780000-memory.dmp
memory/4656-22-0x0000000074A20000-0x0000000074FD1000-memory.dmp
memory/3320-21-0x0000000074A20000-0x0000000074FD1000-memory.dmp
memory/4656-24-0x0000000074A20000-0x0000000074FD1000-memory.dmp
memory/4656-26-0x0000000001770000-0x0000000001780000-memory.dmp
memory/4656-27-0x0000000074A20000-0x0000000074FD1000-memory.dmp
memory/4656-28-0x0000000001770000-0x0000000001780000-memory.dmp
memory/4656-29-0x0000000001770000-0x0000000001780000-memory.dmp