Analysis Overview
SHA256
c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8
Threat Level: Known bad
The file c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Uses the VBS compiler for execution
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 02:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 02:09
Reported
2024-04-09 02:12
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe
"C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lsm3r-u8.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3014.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA4A77059CEA48DE8010A8891E663D8E.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3916 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.204.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2016-0-0x0000000074F80000-0x0000000075531000-memory.dmp
memory/2016-2-0x0000000001480000-0x0000000001490000-memory.dmp
memory/2016-1-0x0000000074F80000-0x0000000075531000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lsm3r-u8.cmdline
| MD5 | 726a0fe4a0164edd8067faf100ed6d45 |
| SHA1 | 1d7a119c18cf5ddd3a9e1b2ba9e0ca4bbc965697 |
| SHA256 | 457c680a809f87dcf5ac93930386a7b6bdf57efd767dddf81814c37772dff0df |
| SHA512 | 591a57ff7959440076c6a553b008c87d4da6429e9dadb7685f70cf498b77e835cd346f05dc2ae59c377e3e7baa679246daf0384e8d3e0d9b193f54492670afb7 |
memory/4724-8-0x00000000023A0000-0x00000000023B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lsm3r-u8.0.vb
| MD5 | d708da0c29f9474e8e22c5db48dc71a1 |
| SHA1 | 34c63cde8d71692041a82068a91676485ca608ba |
| SHA256 | 4eadfcdb7e45de848a8230f262a18d5022f3a76234d0acbdb3c0282e40c3bf63 |
| SHA512 | fb8ed3cc966d93eaf912652d1ced0f84f2d49e7ef5188b43dc8b9f01fbcf9087d14d2a459fa60f76fbffd723b96b760404ce320c8cd51bf2895f02af8f9bcbdc |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcAA4A77059CEA48DE8010A8891E663D8E.TMP
| MD5 | 987521b850d84d38ddb9aa5dca34ff3e |
| SHA1 | 67c1a75c30393198dc8884f541e8a42077e7ca10 |
| SHA256 | 9d54d2361766d1b6bd33dedaea0f59cfab3c1c56ae7ef15e44093031d300a64b |
| SHA512 | 755ed39969c89ef7ad00dbe8543d3b2efa84a04d3f6092f6a1fe781738b6d17220c77da56e3b77a1dff4ee95bd2c00e99f7cf1c9d0cb8207fcdaf945d55214d7 |
C:\Users\Admin\AppData\Local\Temp\RES3014.tmp
| MD5 | 9cbd1272a8a5a42b5def9ae89262ac57 |
| SHA1 | f5a1e2d5151efc6f037b741f20f74c13cbe5d1a2 |
| SHA256 | eaa0c20ab16b61344aae2a478d39d18c40e22971f9b996399cac3dbf3312f979 |
| SHA512 | de9c349337916b69f5b0f2f54e8242a078c2c364cb87eceb77c46329f180bbdc75ee8183a9ebe628311ce55e74b2902ae65581e1d4ab62c38050ea3aec5b2047 |
C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe
| MD5 | a130bd0cd942dfe564d26efdd77cf1aa |
| SHA1 | 7fb8e0c4f952967f6146860f073c1161a8fbe709 |
| SHA256 | 8b52496a2d3c95d7177cf58dde2446fef5b264d4af2cc022668d0838f6c3360b |
| SHA512 | c627c5f3e05922e7d739e703d2e35a51efa9148628fecff2085cc8accd0d62fe4291556ef4b4538acb64e43de6231c07082414d6769ade0788e66f6f04f6592a |
memory/4956-21-0x00000000010D0000-0x00000000010E0000-memory.dmp
memory/2016-22-0x0000000074F80000-0x0000000075531000-memory.dmp
memory/4956-23-0x0000000074F80000-0x0000000075531000-memory.dmp
memory/4956-24-0x0000000074F80000-0x0000000075531000-memory.dmp
memory/4956-26-0x00000000010D0000-0x00000000010E0000-memory.dmp
memory/4956-27-0x00000000010D0000-0x00000000010E0000-memory.dmp
memory/4956-28-0x0000000074F80000-0x0000000075531000-memory.dmp
memory/4956-29-0x00000000010D0000-0x00000000010E0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 02:09
Reported
2024-04-09 02:12
Platform
win7-20240221-en
Max time kernel
164s
Max time network
168s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe
"C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ktxuntmk.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc84AA.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2384-0-0x0000000074390000-0x000000007493B000-memory.dmp
memory/2384-1-0x0000000074390000-0x000000007493B000-memory.dmp
memory/2384-2-0x00000000003E0000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ktxuntmk.cmdline
| MD5 | a494b15c2fab7eae176dfeba0b822cdd |
| SHA1 | d38858d886ccf04d0062d9642d5a53e3c80ff2fd |
| SHA256 | 78ca1eb9cf72a3f738cb9cf307a9f692f95d526f941d877bc1eda0f659f218ed |
| SHA512 | ff7a58aa6941bdaac3a5d4509cdc25b2480f72df0c1be857be5155aef5f2294531d2e6ad54a25bd3eca482947f4085347ef6f40cb0e37ada10bde0c12fa8cfb4 |
memory/2512-8-0x0000000002170000-0x00000000021B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ktxuntmk.0.vb
| MD5 | 953f6c67d08b4d333c3759d378a5641f |
| SHA1 | 1ae407bf31638381a68a228c7c09285b83ab11d4 |
| SHA256 | 3dc4e6db044277178980dbb77ca56cbb7a9ffb5c2d8b7d8cbb6bd31ac42092f8 |
| SHA512 | cb7ff6a5c5702a5026188b61cc6d1e84f83e41bfc473f48645681b46f9f160b40833a59cd103c25404db4b6b6ede5dd27ca19d175307ecd9d34dabf5e27a62b6 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc84AA.tmp
| MD5 | 1cfb72f50fa71e1b6ebd022f5b81542d |
| SHA1 | d649149779a9c6187d9bc6599d3e948bc9f35503 |
| SHA256 | 349771d1a16bf90e09b51b05d33737a1de0a0671876c59c8884b1a9cf992ac75 |
| SHA512 | 969d427914705dfa97b4b014e6295f016e75dd3c9ae98099a1555ce9808dc859c6dc80f96a9306e7afd60a877a9b29d3820b415780ae150b464dde09eed765f5 |
C:\Users\Admin\AppData\Local\Temp\RES84AB.tmp
| MD5 | b2a397aacc6ee25fab9a620aa0638fa6 |
| SHA1 | 6a077e55d5dd1d0e2b033e7f9caca726ff98d64b |
| SHA256 | 36a545ddc9c4755c3bb2ced00c8e97f82d022957056056211937e22c461832f8 |
| SHA512 | b3876b8915a14713d3eb6b651ded5e427426afc07357f08b3c5be38b7001e99d8de056c0068fcec74319c195c16bb77e242c37743ff66f7615c6fe63e5aad805 |
C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe
| MD5 | 79c646a46d0a343f772de78bb33fee4b |
| SHA1 | 2eb805e58dfdd32bfa97bafe8a252a7476245a8e |
| SHA256 | 7b63b7118d33621456522da6a9c51cdfab79d3a60f7a1f5e11a487bc7159dfeb |
| SHA512 | bb7b32515786d936ff55bd172a67ce3d2efe15608491e135a0fc5aeaffddb336fe6b9ed25b442b8500cc3220f6e444534fc986670ce3e63513d1c5708c5c4cdc |
memory/2384-23-0x0000000074390000-0x000000007493B000-memory.dmp
memory/2644-24-0x0000000074390000-0x000000007493B000-memory.dmp
memory/2644-25-0x0000000000540000-0x0000000000580000-memory.dmp
memory/2644-26-0x0000000074390000-0x000000007493B000-memory.dmp
memory/2644-28-0x0000000000540000-0x0000000000580000-memory.dmp
memory/2644-29-0x0000000074390000-0x000000007493B000-memory.dmp
memory/2644-30-0x0000000000540000-0x0000000000580000-memory.dmp
memory/2644-31-0x0000000000540000-0x0000000000580000-memory.dmp