Analysis Overview
SHA256
4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0
Threat Level: Known bad
The file 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Deletes itself
Uses the VBS compiler for execution
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 20:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 20:57
Reported
2024-04-08 21:00
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe
"C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\peyqrj5o.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E2F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41213723B7CE4C5DACA2D181F64FE652.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2596-0-0x0000000074980000-0x0000000074F31000-memory.dmp
memory/2596-1-0x0000000074980000-0x0000000074F31000-memory.dmp
memory/2596-2-0x0000000000D50000-0x0000000000D60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\peyqrj5o.cmdline
| MD5 | 5a216974017482847e1173ddebf923c0 |
| SHA1 | 144ede6c6347f9a580df03ec6e56d0fa27284ac6 |
| SHA256 | 3370007520b70ffd1737cf9276e895c410356050c77136d2c4cb411579a9f1e2 |
| SHA512 | 72954a16306b57e982025b4568769d1073641875acffbfc19b889b1583702ec4e35b27a2c321c162e0572060baa66806ed177af7426f4a87a85926626cf46d17 |
memory/2148-8-0x0000000002550000-0x0000000002560000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\peyqrj5o.0.vb
| MD5 | 2fade4e56662a80ec5b531584334c8b1 |
| SHA1 | a7281f32fee391b8e571eb9782879dfe85725649 |
| SHA256 | c02937ba4d58b1f5a0b0ea925c3ec57aa864bb5970a58ffbf561007fde1d6aad |
| SHA512 | 8fcc97a5c973f0d3d82a2d2bf9ef5f5eac3bcbe6d40af88fe918e02b09af5763f48e6684c7c2399c420372103bd657c7628391128fe90485895e3eea24ea80dd |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc41213723B7CE4C5DACA2D181F64FE652.TMP
| MD5 | d1b7eff95375eeb1a2e61b3a49c4ec20 |
| SHA1 | b415d745e1501b20239c7dbd5686f5554a6930f2 |
| SHA256 | 0b30b43121b8b8a30aa3e9297eb2361e37d55aa582d3c279b0618675e2d5e790 |
| SHA512 | 29d2be7d07e4923143a365f0a565fe5760e9554e4b05c8169246543bce370738c2df919068fd43e6aaa4dd81daf418cd3ee1cdd8c1f3aa38f6627ef6cdc7ee3b |
C:\Users\Admin\AppData\Local\Temp\RES4E2F.tmp
| MD5 | 99c6684879572f000a9d4e3ac83194a6 |
| SHA1 | b810fc679d74ab446ee08ee2cd0110884da6fb3f |
| SHA256 | 8a6304ae0835c4ba56b9b324e6d5ae759856b7e537877d54b41da4926a63a5d6 |
| SHA512 | d5b329bde0c9a9bb78d92cf7a1341d12ebc5157bbd2e63b72ce1d9ff857b6e026c5482e45319684322dcc17b6059644ec18eaf1c46d489b686feef9bd00ffdab |
C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe
| MD5 | 17ef610a75030ce7cf21bb881cb15331 |
| SHA1 | 56a380fd672a4895744524a123ed259b046fa02a |
| SHA256 | e2bc5dce3a85eeda0cc46783b4f5a16726bff570e405db34c20b0f1c72f7e6fe |
| SHA512 | 87944babb652eabfcee38b00ae6ffa9b4d3a1146a40dfe80a11f73bbe8521b4b57c42a71f7152a9ffb41a70a9d1f98c5fa311c604a0f5cf9d7a2113eb71fdd78 |
memory/2112-22-0x0000000074980000-0x0000000074F31000-memory.dmp
memory/2596-21-0x0000000074980000-0x0000000074F31000-memory.dmp
memory/2112-23-0x0000000001040000-0x0000000001050000-memory.dmp
memory/2112-24-0x0000000074980000-0x0000000074F31000-memory.dmp
memory/2112-26-0x0000000001040000-0x0000000001050000-memory.dmp
memory/2112-27-0x0000000074980000-0x0000000074F31000-memory.dmp
memory/2112-28-0x0000000001040000-0x0000000001050000-memory.dmp
memory/2112-29-0x0000000001040000-0x0000000001050000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 20:57
Reported
2024-04-08 21:00
Platform
win7-20240319-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe
"C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dx6gioj1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3ADE.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2200-0-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/2200-1-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/2200-2-0x0000000000290000-0x00000000002D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dx6gioj1.cmdline
| MD5 | 0bc7d7beeaca525bfacc50b88107e019 |
| SHA1 | 9faa7108d160445a3dc96e5219ffc8ac19589d67 |
| SHA256 | 581f574e56cb170f4b9dfa5bc2d034ef561118f2cb55b72b76a5422693e5e607 |
| SHA512 | 7ef32de564f8afb0c42a078f7d11d9b7fc85a0f4c222cc7bd3826996938dde7e20554a84118b2458411ad4fee659fa1785dcd779373d2c6c6ad0592727722555 |
memory/1640-8-0x00000000002B0000-0x00000000002F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dx6gioj1.0.vb
| MD5 | 89dea00193b6fc0090abaa5b3d4048ea |
| SHA1 | 2bbbfdd7c1b29c06a1f87e2e32ce01cf3f1b5a59 |
| SHA256 | 2642a8befa174d2529000518d0efcb28872588e5fb5c73df40e64ddcaffd23fd |
| SHA512 | 2aad1747b4cdae6cb20d167e4ddef7552d2188290271678504065dd550ab06ec51b0a61d9f61143c7d93fb0bcd6e8b7a8f888fc876335f5b098e276ffd5db1fc |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc3ADE.tmp
| MD5 | 0f5de4148b83d89418a78816e69bb8d7 |
| SHA1 | 1de400d24ae2c663e7ac87540209c3b22d3b2ce5 |
| SHA256 | 96e5ad45be923f22b2b3903b3fa4f627dba12ee269cf2e0bdbbf7b166cfe4b80 |
| SHA512 | f475bfcf5f12e255e1d3d7beaf171b95ba1c56c2069ff8a26fb8e344fe219705b2cbfeb1b301df7cbe13acf2a2d1fe1000b03faea6773323948181d01a837ebc |
C:\Users\Admin\AppData\Local\Temp\RES3AEF.tmp
| MD5 | fe14fa87a4f9a0640d6e73db7c17c0a6 |
| SHA1 | 7bff7a28ea272e99a95ed267376b18ffc0a79445 |
| SHA256 | 6f2f97b0e9adcab057f70a8dedaa3da482cefb69b4d29dfc2db0e42615f0a6f1 |
| SHA512 | b0c283bfb118519c3ddd1a3832bbe6a53684615162de1f0d70e4ed70fab210d3cd9ace5e979d6147c06d45c6c891e166bed5d55b7242deaa415eb783dd02e397 |
C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe
| MD5 | f365f15321401d1173ffd399e36e811c |
| SHA1 | adca584023d4ffca46a64b5caa3e73d7510f5e94 |
| SHA256 | 8125a1d8bc6cf5aaf9eef7a9c616918fed49f1a0e219e4fcdd3962f1ed1e3c38 |
| SHA512 | 89179e006cb720d596dc64d9a79c5ae50f0070aed92a83d45a91be5dd43658d98e7a474ebbb46e25a1c8d71017375c0f433562f4d7508c169bc9497f5d0d9c0e |
memory/2200-23-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/2160-24-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/2160-25-0x0000000000A70000-0x0000000000AB0000-memory.dmp
memory/2160-26-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/2160-28-0x0000000000A70000-0x0000000000AB0000-memory.dmp
memory/2160-29-0x0000000074B10000-0x00000000750BB000-memory.dmp
memory/2160-30-0x0000000000A70000-0x0000000000AB0000-memory.dmp
memory/2160-31-0x0000000000A70000-0x0000000000AB0000-memory.dmp