Analysis Overview
SHA256
8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2
Threat Level: Known bad
The file 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Executes dropped EXE
Checks computer location settings
Deletes itself
Uses the VBS compiler for execution
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 23:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 23:42
Reported
2024-04-08 23:45
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe
"C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ycvwefbh.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5890.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A670FCA7A334F54A44161660A0D9CB.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 219.135.221.88.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 77.239.69.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | tcp |
Files
memory/908-0-0x0000000074780000-0x0000000074D31000-memory.dmp
memory/908-1-0x0000000074780000-0x0000000074D31000-memory.dmp
memory/908-2-0x00000000012E0000-0x00000000012F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ycvwefbh.cmdline
| MD5 | 6a6d99b3ee0c98405c6665c26604c11b |
| SHA1 | 24a0b03f16005e8136905a4b5870250c620bd73f |
| SHA256 | 584e9d2e609ed7ee7d225527cef8d5e60a8f3a36641a7bfa783927f2ae04ff38 |
| SHA512 | d94227495c458a988b42c83779b45a34160dc1c256eb8a502d0ce87e5f8531cd170ba87626143bad03fa154fa3ca8aa6bc7f5c285218ed9ea7dd71705396102c |
memory/4720-8-0x0000000002690000-0x00000000026A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ycvwefbh.0.vb
| MD5 | 0a1d879802aedef8e7c1f407492a41b9 |
| SHA1 | 4aaf77c78206d20c670a41ad76dc94ee177b137f |
| SHA256 | a400bf1e2680d042af02ddb0531d0314051ac2f5747e9e5806e96ffd24d138fc |
| SHA512 | 2c89eb988ec5bfdbd035911843448be3843199a20b0ac0851db4303f299ecc7e8b9302e1e5061de01b96a1d67470fb002b876b58695ebc8ea4beb58fe7c0a271 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc8A670FCA7A334F54A44161660A0D9CB.TMP
| MD5 | f93b92d0e7a1b0acb8aedcba4b899e76 |
| SHA1 | 49f2807c9ef3c0d203f1ba11bc1e192e9ddf34d8 |
| SHA256 | 27829cbe96458d5a920dce255c20d5478d7b4222d8e19c0e8e31e52e444b80ce |
| SHA512 | b7bd4b3ff803787e077b8f4422263898c15e0d34cb03c70415b159f537dfa0b33d46a45d597ee1511bf2619d84ee1cc03dbe092f2fde781367340ff4e5fb2555 |
C:\Users\Admin\AppData\Local\Temp\RES5890.tmp
| MD5 | 465892bdcbd56fbd2a795b3fbaccfb52 |
| SHA1 | 2743d27d5e65319619c621d76ca02627855ce336 |
| SHA256 | 09e75cef72375b514922ba7c3d15866ded61d2bfb763d4bfcd759e07cd74e64b |
| SHA512 | a61aedae46388e660582bc39a01c64e7290ab1a474382bde2b71d2dba9f1713dff85e8659cf033c5dfab0fa37e5c8da08488da452248d025cd3a700ef81a4ac6 |
C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe
| MD5 | 5340a4bb9b2ad810afb6a1c54ddcd440 |
| SHA1 | 8050aa97a00b3a60467eee152ad093e6df55c058 |
| SHA256 | 1d176fef64190048753ffd5de475b52ee97a2579ee8c6792ff407d933223d523 |
| SHA512 | 8d64a958836d68e52392cd770e375baef77ff16fe0dfad37cf087f3d0dfe164ab5e4e749ed50c0a29cd6bad329ac89634d8c9e71eb687e0fe3423191ed5cb2d3 |
memory/908-21-0x0000000074780000-0x0000000074D31000-memory.dmp
memory/3032-22-0x0000000074780000-0x0000000074D31000-memory.dmp
memory/3032-23-0x0000000000CF0000-0x0000000000D00000-memory.dmp
memory/3032-24-0x0000000074780000-0x0000000074D31000-memory.dmp
memory/3032-26-0x0000000000CF0000-0x0000000000D00000-memory.dmp
memory/3032-27-0x0000000000CF0000-0x0000000000D00000-memory.dmp
memory/3032-28-0x0000000074780000-0x0000000074D31000-memory.dmp
memory/3032-29-0x0000000000CF0000-0x0000000000D00000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 23:42
Reported
2024-04-08 23:45
Platform
win7-20240215-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe
"C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uozzhbfw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1121.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1120.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | tcp |
Files
memory/3000-0-0x00000000742A0000-0x000000007484B000-memory.dmp
memory/3000-1-0x00000000742A0000-0x000000007484B000-memory.dmp
memory/3000-2-0x0000000000510000-0x0000000000550000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uozzhbfw.cmdline
| MD5 | 15b8e71703e95626082487d988274026 |
| SHA1 | c9cff33e89d631dd757a3c6c4f58642f09d0ea35 |
| SHA256 | be0b89c1405eda823b8d8550ec0a0cfcc358ab83133a2d1d29366467ff56f423 |
| SHA512 | 1b7ce15c112f5ae0d0fb0b1dded1fe4486ed32801d3be3a3393d3a9d0dcd16a348a17ec609e6b9f0f53d4bb3b49eb5e4541d24957ea225177f47006bda3adc6a |
C:\Users\Admin\AppData\Local\Temp\uozzhbfw.0.vb
| MD5 | ef4f7eb172f75b02e9f90a0d94e974a9 |
| SHA1 | 5481721f023b530bc9c65501e259de545af64f82 |
| SHA256 | d26f47ed81dbed6b6d6a2c8c35f233f0f9829003198550ea79e50aa47ab73a88 |
| SHA512 | f8d18dd5b57a61ea3affef4bcc046c755a5dc0112bf17227c94e2b506ecfcc7debcb7b6291c43ea0b0002ba5339251668874cfe44975b42a66693ba1a19dd4b3 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\RES1121.tmp
| MD5 | 94dddfd0c0e280234f98efa0e911d5b1 |
| SHA1 | 2e3056260610aa255306af39692924ab5f9f6ab2 |
| SHA256 | 53793a05f5a4f630fce78872de0e41e8df2a3f7b5adaebbce0d367252df071e0 |
| SHA512 | a3e1f1b0ba4757f2d5444bdd0ae41a3675151c6f4afc5a7d04dd0fcc88e1c5588789eb675d18d5ac88456b4fe90cec59238c9fe21fc703789cb34f52d1d5c04c |
C:\Users\Admin\AppData\Local\Temp\vbc1120.tmp
| MD5 | 988c624cd3d21df4c9953b687d0104d8 |
| SHA1 | 672e1728eea204899c269795d46f776a95af9f09 |
| SHA256 | 91d408a8eacfd25a8c61fc07f6cd1a065b53b467feac69dc45376f285061b0c2 |
| SHA512 | 2e19b76d17e8ddc4915d985a137f904ba7c4185c5d2477ff83a3801c271cef30749bc45fff6e86257967dd34ce57bc2a6a2a763ed9c5ab0a0a14955489c078fa |
C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe
| MD5 | 51fe6562a574b602020d2bed5bc3465b |
| SHA1 | e578a53a4c027833417b7f240843e9dff541ee93 |
| SHA256 | 087c7fca2d37ca08f53f128fc6c73970f0471e70e37819c40f03a258c0c1053a |
| SHA512 | 89c1eaef87504a5bc0e5edaa91202b6669ae83bf19015f06d602746146344f1a42f6347d2d35b38ed8ea4fe64be68db174485ce5454bd4e80bf52c7f64be6afc |
memory/2664-23-0x00000000742A0000-0x000000007484B000-memory.dmp
memory/2664-24-0x0000000000AD0000-0x0000000000B10000-memory.dmp
memory/2664-25-0x00000000742A0000-0x000000007484B000-memory.dmp
memory/3000-22-0x00000000742A0000-0x000000007484B000-memory.dmp
memory/2664-27-0x0000000000AD0000-0x0000000000B10000-memory.dmp
memory/2664-29-0x0000000000AD0000-0x0000000000B10000-memory.dmp
memory/2664-28-0x00000000742A0000-0x000000007484B000-memory.dmp
memory/2664-30-0x0000000000AD0000-0x0000000000B10000-memory.dmp