Analysis Overview
SHA256
0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9
Threat Level: Known bad
The file 0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Executes dropped EXE
Uses the VBS compiler for execution
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 18:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 18:23
Reported
2024-04-11 18:26
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp42B6.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp42B6.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp42B6.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe
"C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cqzzydlq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4391.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA5F96708A9A54E168484431D2737D79.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp42B6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp42B6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2932-0-0x0000000074FB0000-0x0000000075561000-memory.dmp
memory/2932-1-0x0000000074FB0000-0x0000000075561000-memory.dmp
memory/2932-2-0x0000000000980000-0x0000000000990000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cqzzydlq.cmdline
| MD5 | 0a2b6f9a94c469ebfb967ef0ec52374e |
| SHA1 | cfcc0469cc7e8a39d4defce21f7233d27355c322 |
| SHA256 | ffcd63d56ea1bba07e7807dc082e7feac5993d47bd46d0b1ae0c5f6fa645b070 |
| SHA512 | 944b3c80d24f77e133b616c26ef388db6a9cf5f5d289ef33d1e3fd5b9ca00dfbbd2ff19be71673c274f612c8a33e76f25b04812bf6120e4b320b66aeb822dbe4 |
memory/2484-8-0x0000000002480000-0x0000000002490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cqzzydlq.0.vb
| MD5 | 153f881f97eb6cb7e1f079b5bfada3fc |
| SHA1 | b428a142705b6bea3b3ccca9cd4939fef26a769f |
| SHA256 | 3f544f7fcb359b4efb3c56f19a33af94de9dea085afbb623e6f761c8c6879d97 |
| SHA512 | a4277d08c29fdf3d0bf558cf4bc96d7852f2fee3a54d91cefd81f90d61c66bf57d2538ec1c9bb2a0b55a8600bfd3c3cbf14a44756107d8e641db35039346c631 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcA5F96708A9A54E168484431D2737D79.TMP
| MD5 | c05bc58ae3119f04897189023ba593ed |
| SHA1 | cd496174aaf67e0deaa216de1d7b974facba04ae |
| SHA256 | 0111f91fc70d9bc1635284d380ce55ce2e794178e68e2c7fa5bb55657f0d2506 |
| SHA512 | f6d9be2810e80b34d3ef2e272ed3c492af73cad0992c75e00bc6823114101258136e2d757ed7a0f5ca6797994a34c99873a54279c383f38265c2da142d800751 |
C:\Users\Admin\AppData\Local\Temp\RES4391.tmp
| MD5 | b3e8bb9fd6bf6571a30e742af0062e72 |
| SHA1 | 2f542ad2f01181fedd61bb555181e810534d32aa |
| SHA256 | aa87ba4cdf3b31ffaafe5e03faa630e2a831f724085ff5d8d7b60797fdbba68c |
| SHA512 | 431de4683bb6cc7c13efb9fc15703f8f5d1e74077cdb7dc35d35c697fe533d843389d8bea6f818a694ba45058eb2cdce4b8368385e8f3b133930b72251f03c20 |
C:\Users\Admin\AppData\Local\Temp\tmp42B6.tmp.exe
| MD5 | a3ebf2320ff32404b19f26e4126db7a1 |
| SHA1 | 51ed1df4da4daa098027d6e7150c206d12bdf492 |
| SHA256 | 99295e17b7b7388498512f50ac70fcfee6016016c84696856f9d06ce232d9f78 |
| SHA512 | d5b48cc4bcad1729d4b68d7a86f96a8800a41f94a74cfb3acc11275c90c7ab887ce43c6f2bc4b9a826f81e2ae7af371f7cdf6f83bac987782cdc92e2bd73a9d8 |
memory/2932-21-0x0000000074FB0000-0x0000000075561000-memory.dmp
memory/4672-22-0x0000000074FB0000-0x0000000075561000-memory.dmp
memory/4672-23-0x0000000000DE0000-0x0000000000DF0000-memory.dmp
memory/4672-24-0x0000000074FB0000-0x0000000075561000-memory.dmp
memory/4672-26-0x0000000074FB0000-0x0000000075561000-memory.dmp
memory/4672-27-0x0000000000DE0000-0x0000000000DF0000-memory.dmp
memory/4672-28-0x0000000000DE0000-0x0000000000DF0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 18:23
Reported
2024-04-11 18:26
Platform
win7-20240221-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe
"C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aak9jdjy.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc55FC.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2232-0-0x0000000074C80000-0x000000007522B000-memory.dmp
memory/2232-1-0x0000000074C80000-0x000000007522B000-memory.dmp
memory/2232-2-0x0000000000280000-0x00000000002C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aak9jdjy.cmdline
| MD5 | 2db497eae862e4ed087a502c1906108f |
| SHA1 | 318fd4d2552bb84894a4d12ad6c78f2f755fbcd5 |
| SHA256 | afd77fec880dd24248a353e19bc84acfe875db89c654c4c69967307794694a5a |
| SHA512 | e8cbfbb9492d4938e1495434db7299834f8e051018eb9c81cd0efae7cc41f442833a4ff51ef41f6c72c917a704273270db7066b0ca0bfbc32abe9ff449d39f67 |
memory/2516-8-0x0000000001F20000-0x0000000001F60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aak9jdjy.0.vb
| MD5 | 3571f63e56e20e91eb5accd34c2acbcd |
| SHA1 | 4be34fe660a094070d53e7820f23ab95af51d9c9 |
| SHA256 | b5e6a31c92d33e46016722c7504668d1ac7ca148df5148326013dd179485dacd |
| SHA512 | aac56f48467a9a075ed44660e8b7dc0feef4d4aa4d56b8f03cf90be728a47b2e07d03ef3eab421b749dc7b5f1def021c7612db6e6ea0d2e0b036ab239443f767 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc55FC.tmp
| MD5 | ef7452658bf5b0bfa0b3345a7b24044d |
| SHA1 | dcaf020d860794d97be488b390736d65c279f577 |
| SHA256 | 09db5ddbb830838252dc505b6b2b99d61534af1098c09f859097ac5e324fd0c3 |
| SHA512 | 0e81d6aad68a31face65cb1f6b8208f9f7a4bbc1196745ac979c4424e88cab348b546bb74183056a8ee72fa123da9ec8213b0af1a2a828bf82edf7f242281b72 |
C:\Users\Admin\AppData\Local\Temp\RES55FD.tmp
| MD5 | 1dd2eeb40b4e5dc9f3453b1bc13165d8 |
| SHA1 | b90defba4c1ba018ae005d4760542d15be4c2861 |
| SHA256 | db8a417729fd7ba0a1c2a7ffbe73dc46b22ebcc9d9b4608e156b182a7786fe02 |
| SHA512 | 4c4afb530db8b5befe6efc6a5253537e2f9b45cc2b7521f9ef256eb08124b9096e7da2ecb4d5d9ee33fd84acaf480a5948da00c5a1f401e79a83cff2b69a5657 |
C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe
| MD5 | ced27d14daf34a192b1208874a43824d |
| SHA1 | 189402d481739151f3257cf5cbc4e4f1440509c1 |
| SHA256 | 4f2b7d1535fcc06ab20c9f066edad43b96cd123b7a7cab22f328496c996907b1 |
| SHA512 | b1542cda5c9a514425af59b563a7dfea236a2a47c2cc82429c528457689f1d33247adfe60fd8fd494a42f0c490702a543f4637cb7f61bba81d21086a9190d846 |
memory/2548-24-0x0000000074C80000-0x000000007522B000-memory.dmp
memory/2232-23-0x0000000074C80000-0x000000007522B000-memory.dmp
memory/2548-25-0x00000000005B0000-0x00000000005F0000-memory.dmp
memory/2548-26-0x0000000074C80000-0x000000007522B000-memory.dmp
memory/2548-28-0x00000000005B0000-0x00000000005F0000-memory.dmp
memory/2548-29-0x0000000074C80000-0x000000007522B000-memory.dmp
memory/2548-30-0x00000000005B0000-0x00000000005F0000-memory.dmp
memory/2548-31-0x00000000005B0000-0x00000000005F0000-memory.dmp