Analysis Overview
SHA256
d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e
Threat Level: Known bad
The file d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 02:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 02:00
Reported
2024-04-08 02:02
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe
"C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zggyny_a.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9877.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12D51EACE16D463881A9B7152B4CB0.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | tcp |
Files
memory/4004-0-0x0000000074E20000-0x00000000753D1000-memory.dmp
memory/4004-1-0x0000000074E20000-0x00000000753D1000-memory.dmp
memory/4004-2-0x0000000000DF0000-0x0000000000E00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zggyny_a.cmdline
| MD5 | 3f32bee5d01ba8c9221fc86cc6abf01b |
| SHA1 | b91abfe88437e02315ed274585aaa767a0d6041d |
| SHA256 | 3b3c17f8e2bc00364fb028d0a6f0e95434b3241107659147c757f375e5047e42 |
| SHA512 | ce01bba628d758573ac2a4a919199de931d9f72596121dfa223fc632ae5a73ea2fa75c457efb622b6da3697a4f115c3d452f91f543fd53f15c0e71009378e143 |
C:\Users\Admin\AppData\Local\Temp\zggyny_a.0.vb
| MD5 | c87e312addaca667a248342317ee43e7 |
| SHA1 | 2bb285f770ad6ebfcee602d98a86796e4092ba3c |
| SHA256 | 8b2372bcb8eed59383af9ed5fd783ad9eb4b63df7e8c7d2f7dad8a561579d927 |
| SHA512 | e6f83cb0c0e4a38cde032a56e9b0ba06b561489e15d72667fe149e8f9d08d7f30487bd8ee85c870525dd9fcdc95b11be9d6ddf32ab6f5ce87612db5339970a9d |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc12D51EACE16D463881A9B7152B4CB0.TMP
| MD5 | 80bb7da641b09eb99e7708c259239a27 |
| SHA1 | bb3f1d5713b551ea38c5c792402b2911513d7aab |
| SHA256 | 22c243aee2e8022b9b4cb0860e9eb499a8818eccf65ae97d273e6a7a855bc6d1 |
| SHA512 | f5c40f6f62c3839a419c9fa985c1b0edc69d0e9def8fe511447e93ba9d816da13472d22813d68a42884eb4d369b3d7274c9322fedea48c810c1e9c95bb4d5abe |
C:\Users\Admin\AppData\Local\Temp\RES9877.tmp
| MD5 | cdddd359871468d1c085087170e488b1 |
| SHA1 | 51e4ad0121bd2a3210b615d541dc51f8c7f277bc |
| SHA256 | 8451552219b08b881c30eae9a31a24ae02ccdb43d69c40d59ec7391749607751 |
| SHA512 | 3bf7e6a5c1fe38d3745bbc9572c9673a87c74eba8cdca2614684d3d480fe17d4648529eda75da712ec4988866799dc529b0ed375c93c334bd5b377a1673994a4 |
C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe
| MD5 | 56d63316eca2de05b3c5101cc49a02b7 |
| SHA1 | 0f7c055941e1527b8d6637e669ac54244d43a652 |
| SHA256 | bd3981369cf2cc92f7be09865f1ebdfe3dccccc89489fab5ec5448f111e7e46d |
| SHA512 | e85ae7f3510bd889a12035c90c79d7b049658a57fbc9ec583758c11c46567aa320276b6cc8bee5af0ae1c4ef19b10e9dbe67959c2c2409d0652ff9dfc802750e |
memory/4004-20-0x0000000074E20000-0x00000000753D1000-memory.dmp
memory/3100-21-0x0000000074E20000-0x00000000753D1000-memory.dmp
memory/3100-22-0x0000000000CA0000-0x0000000000CB0000-memory.dmp
memory/3100-23-0x0000000074E20000-0x00000000753D1000-memory.dmp
memory/3100-25-0x0000000000CA0000-0x0000000000CB0000-memory.dmp
memory/3100-26-0x0000000074E20000-0x00000000753D1000-memory.dmp
memory/3100-27-0x0000000000CA0000-0x0000000000CB0000-memory.dmp
memory/3100-28-0x0000000000CA0000-0x0000000000CB0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 02:00
Reported
2024-04-08 02:02
Platform
win7-20240221-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe
"C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mj1d4ouw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E38.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | tcp |
Files
memory/804-0-0x0000000074F80000-0x000000007552B000-memory.dmp
memory/804-1-0x0000000074F80000-0x000000007552B000-memory.dmp
memory/804-2-0x0000000000320000-0x0000000000360000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mj1d4ouw.cmdline
| MD5 | c995ffea880ae5effe711bcc31a67526 |
| SHA1 | f31c9c9957a34457a177e4c572b683e4205c7b7a |
| SHA256 | 5d2c914f5902cda377495a9bc2a8e1ea192f162a5e2e5f311e42165c22d45e16 |
| SHA512 | ab7d90b6615a850de599cde5a2a97cc4a80c98c523f3674f26b46a4a0b9636087214d375c2335f66beace1bd238215d673e14f79ca9e3d04f4ba4fc623b30203 |
memory/2992-8-0x0000000001F30000-0x0000000001F70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mj1d4ouw.0.vb
| MD5 | 4548e12a02cc1f752616bdf4a8b8e88b |
| SHA1 | bed243f51575293e2654ec7729129b51f832d906 |
| SHA256 | 4ceef0f0184b6ce9b4bb07e3294b29f83bfec7eed2dcc80146726bd74b5c95c4 |
| SHA512 | b2e7ce15e3fb4b381c081d68b116deadc072dd2543aefbae70ef1de2f7154c7acd720e093ad5f5725cba0ed47626993ebc04eb4037535d740798ad873bed7bab |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc3E38.tmp
| MD5 | e4f239da4b0f43dc254b23cb82a34001 |
| SHA1 | 1d121f58e19e72228e4c1ab4149481efce89b5d2 |
| SHA256 | f141b19efefe27dc43a2873232e439f6e020f8233939eaea80738b3415418f81 |
| SHA512 | a43bade9bbdd661191490838c0191039b017d9ac769b289ecfcc088b784751ff41ffa62c89b3c002fdc81cd878d8fc5fd25046320aa05f82b154fad66f79ced3 |
C:\Users\Admin\AppData\Local\Temp\RES3E39.tmp
| MD5 | 8554bd7b09032d6b48ec37d91202c925 |
| SHA1 | 63675c1fe055e9dfb960db9ace6637169a5a2527 |
| SHA256 | 6b75a90615cf9ff51d4b4cdb2ce24967bfef84cc63f7d617d73a458a3f456dc6 |
| SHA512 | 51f4051d5f7fc869af824e71429921eddae77b43474c738861d9a31d1e736b7002223c284ac7fe16037b19f7355eaefde899d023e03fb19d8c5aa8b7712a5c45 |
C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe
| MD5 | 1be6f1cd434fa65f852a86340bbe6687 |
| SHA1 | e5d0a45ccaf55d3697ae4dad17b59f38b66ce085 |
| SHA256 | 0f4d3f49e93ad5e9ff1a1e788c86bf8ad5f411680730b96d09df07a299f4df15 |
| SHA512 | 1cbbc69dc6b46c6492e2cd0e4ed226427bb7aebfed194a6631fda4baac9b6fee29b10e078d63d0686c8f1e85be95324f817252327f8e50818c6280927270e550 |
memory/804-23-0x0000000074F80000-0x000000007552B000-memory.dmp
memory/2508-24-0x0000000074F80000-0x000000007552B000-memory.dmp
memory/2508-25-0x0000000000540000-0x0000000000580000-memory.dmp
memory/2508-26-0x0000000074F80000-0x000000007552B000-memory.dmp
memory/2508-28-0x0000000000540000-0x0000000000580000-memory.dmp
memory/2508-30-0x0000000000540000-0x0000000000580000-memory.dmp
memory/2508-29-0x0000000074F80000-0x000000007552B000-memory.dmp
memory/2508-31-0x0000000000540000-0x0000000000580000-memory.dmp