Analysis Overview
SHA256
20342106e18d4f84ea2af49fa2fdc30d3816de8fb6e3672c643a1a7234d4a20b
Threat Level: Known bad
The file 20342106e18d4f84ea2af49fa2fdc30d3816de8fb6e3672c643a1a7234d4a20b was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Loads dropped DLL
Checks computer location settings
Uses the VBS compiler for execution
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 19:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 19:19
Reported
2024-04-11 19:22
Platform
win10v2004-20240226-en
Max time kernel
156s
Max time network
167s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\20342106e18d4f84ea2af49fa2fdc30d3816de8fb6e3672c643a1a7234d4a20b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9B65.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp9B65.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\20342106e18d4f84ea2af49fa2fdc30d3816de8fb6e3672c643a1a7234d4a20b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9B65.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\20342106e18d4f84ea2af49fa2fdc30d3816de8fb6e3672c643a1a7234d4a20b.exe
"C:\Users\Admin\AppData\Local\Temp\20342106e18d4f84ea2af49fa2fdc30d3816de8fb6e3672c643a1a7234d4a20b.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8w3o8gbp.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CFB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68989AD1276347AA9A4950CAA6CF2139.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp9B65.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9B65.tmp.exe" C:\Users\Admin\AppData\Local\Temp\20342106e18d4f84ea2af49fa2fdc30d3816de8fb6e3672c643a1a7234d4a20b.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | tcp |
Files
memory/1480-0-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/1480-1-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/1480-2-0x00000000011B0000-0x00000000011C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8w3o8gbp.cmdline
| MD5 | d8771e5c945e566baf5139ffaebad8b7 |
| SHA1 | f4527f03abe619bbcc790848471ae142213288df |
| SHA256 | 0bc59714ba2a343a420b0b54f853ce1dfa8c5b6dd924802c14bd7a7b859b512b |
| SHA512 | 31ac8409f8fe5f0360d2f36aafc3bad41ce63efe236e29d1817e51942d832f0efcfee8ba8e7b53045ccfd520ac5e6aec9af08c260bea224425dd5a092690f132 |
memory/1476-8-0x0000000000AB0000-0x0000000000AC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8w3o8gbp.0.vb
| MD5 | 652c9056bc1296c2ce6d2458f16cb0a9 |
| SHA1 | d95dcdb058e623a471228cfd6f38749dd462fc4a |
| SHA256 | 8f86c857d00a17feba1335e8f65c1024f823f4958419c0556d32579ea0fd8678 |
| SHA512 | 98c9657132aade35ecca8cedd32275f5b0228c1290eb8f8532888d70624882dfb30a58df9e46abdef216284fea3c1acf3b543ba5f4f501c27736593df3195615 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc68989AD1276347AA9A4950CAA6CF2139.TMP
| MD5 | 4f20f9b0f8634e74c2aaa12812d8c588 |
| SHA1 | df7fdd79f89fe4ae8b611a1ac06c94507f13e050 |
| SHA256 | e738cd632f54f4206bf2fc739f9a96f9a379d028a22da28f3f931750a39fb0b7 |
| SHA512 | 95c20cb1f01a5563e7d5fa1547f6d3b639f36d7473df45fc78818b8df6b0cc30869d20f979d2a958ac9e3e5737ebd628a0dd7791cf88d886859ac4060c8bc14c |
C:\Users\Admin\AppData\Local\Temp\RES9CFB.tmp
| MD5 | 097988cf1fea0356f867908695f5d2eb |
| SHA1 | 609c76229b9287557c02b56f5f433b652368fad2 |
| SHA256 | aa0ef8144857d9f1f92d00d302e0ac55a56482176225c724063d7c8927d1e0c0 |
| SHA512 | fd189b661a096ef14fcaa88c276bc6c87bfd16cea4929e720bd66c16743c1f33935a52be19392487f64287c1e6bab96354306a23e9d1e26790dc01dd148d806b |
C:\Users\Admin\AppData\Local\Temp\tmp9B65.tmp.exe
| MD5 | 8acc3d6e499d3ade6c062b6c2d3a2340 |
| SHA1 | 250ca2af832360a2ec6d5106c6f31db3638ca115 |
| SHA256 | fefd2af89e4ef64ef907692cfe15030d29052a0dce2542ef08b0d24c492999d1 |
| SHA512 | 621796442b4d5284ab3b6974c8d3d6c0ae650f6b18fa7bf8872d44d38b9a08f36d0f348aaddbf425a9d51d95325d1d28a5ccff5b65b0ce9462b1101c6a797488 |
memory/1124-22-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/1124-23-0x0000000001860000-0x0000000001870000-memory.dmp
memory/1480-21-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/1124-24-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/1124-26-0x0000000001860000-0x0000000001870000-memory.dmp
memory/1124-27-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/1124-28-0x0000000001860000-0x0000000001870000-memory.dmp
memory/1124-29-0x0000000001860000-0x0000000001870000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 19:19
Reported
2024-04-11 19:22
Platform
win7-20240221-en
Max time kernel
150s
Max time network
167s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp79B2.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20342106e18d4f84ea2af49fa2fdc30d3816de8fb6e3672c643a1a7234d4a20b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20342106e18d4f84ea2af49fa2fdc30d3816de8fb6e3672c643a1a7234d4a20b.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp79B2.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\20342106e18d4f84ea2af49fa2fdc30d3816de8fb6e3672c643a1a7234d4a20b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp79B2.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\20342106e18d4f84ea2af49fa2fdc30d3816de8fb6e3672c643a1a7234d4a20b.exe
"C:\Users\Admin\AppData\Local\Temp\20342106e18d4f84ea2af49fa2fdc30d3816de8fb6e3672c643a1a7234d4a20b.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8ieur3y-.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C14.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C03.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp79B2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp79B2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\20342106e18d4f84ea2af49fa2fdc30d3816de8fb6e3672c643a1a7234d4a20b.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2176-0-0x0000000074750000-0x0000000074CFB000-memory.dmp
memory/2176-1-0x0000000074750000-0x0000000074CFB000-memory.dmp
memory/2176-2-0x0000000000320000-0x0000000000360000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8ieur3y-.cmdline
| MD5 | af0b3e7a66df62c3cd63c6d51f18e19a |
| SHA1 | 4bfddfc071a113d60732209c34bb5febc5ac9de6 |
| SHA256 | c4393326d8054d27d30bdfa840cd39dd72eee4330dd9a5ba5a83f39de51b1653 |
| SHA512 | 9bcd6511261c9bc416b47dafe881333a326e00de01ec6112a7af49f92cfb8bf034966267a3a447265b81f00333c501858c5d8c7031ff75277d28f3a84fc7a4d5 |
C:\Users\Admin\AppData\Local\Temp\8ieur3y-.0.vb
| MD5 | 12b22d6bbd37508b907829205d6f4599 |
| SHA1 | 83b3a3e1b3f78ce068cd273bf4648a5cf0f9601a |
| SHA256 | 277bb33c27d254f397257cf2a7fd4c9ae65f1b3505d5c523069ffd85b94dcad8 |
| SHA512 | dccd12a5c6fd0db53c005e23bad9c1826fae217a3b82e5649505f25aa42b3e00f3c4f33042789e4993fa2dec7c0341cfbdf937d2c15c614e7ac4ad9d4f99d082 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc7C03.tmp
| MD5 | 6e5d35bf67c038c3905f4976163be5ef |
| SHA1 | f17f2f83cbff7dec63d6ccf1fccfd9b9bf19933b |
| SHA256 | 604db66c6e7966b2345a3a7df5ae6f760f5cbff5757dc464443815baac1be0d8 |
| SHA512 | 1f14f4b122f7b7d9a64675b9518e0d5b6a3352e5c6a359961630f01f1ea8d8973bea30d258868edf23e5c2822af4f8f4ca341948d47fbe090bd9effdb64bd446 |
C:\Users\Admin\AppData\Local\Temp\tmp79B2.tmp.exe
| MD5 | ce0b8ad0ff44b044bcb589433d4306b0 |
| SHA1 | 2b585a0995acb646ee01911717d904ca88ca459c |
| SHA256 | bd5d8e13b1d664ef3b6baded631f4e5ba6f69b5d878080172f0a2acae5faf3d7 |
| SHA512 | 650b148296307c19c5a1387a9500ce1a9e05d96fb8c28f126ed1958fa8801666fc20fa95bb7147bd2ec895914ad2ca7f993a2a59e5e12641f88227e99cae366e |
C:\Users\Admin\AppData\Local\Temp\RES7C14.tmp
| MD5 | d16d5391bb499406c2f6d00913063d6d |
| SHA1 | 68f58a630e979d288132160bd72df102b12cc37f |
| SHA256 | a2bcde9672ca835a4c94d48916559a4e813533cbc043ba90cb33d52194f7ccf6 |
| SHA512 | fe4f8f0c2c6ede5d58dc2741b4a611650ffcc2c3f8cf49658e3f8a2ef4205142e2e34cadef8f1693079c6c3cef48fbb6ed59b03301a8009f9a06cee254e8ecc4 |
memory/2536-23-0x0000000074750000-0x0000000074CFB000-memory.dmp
memory/2176-22-0x0000000074750000-0x0000000074CFB000-memory.dmp
memory/2536-24-0x0000000002270000-0x00000000022B0000-memory.dmp
memory/2536-25-0x0000000074750000-0x0000000074CFB000-memory.dmp
memory/2536-27-0x0000000002270000-0x00000000022B0000-memory.dmp
memory/2536-28-0x0000000074750000-0x0000000074CFB000-memory.dmp
memory/2536-29-0x0000000002270000-0x00000000022B0000-memory.dmp
memory/2536-30-0x0000000074750000-0x0000000074CFB000-memory.dmp
memory/2536-31-0x0000000002270000-0x00000000022B0000-memory.dmp