Analysis Overview
SHA256
37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75
Threat Level: Known bad
The file 37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Checks computer location settings
Loads dropped DLL
Deletes itself
Executes dropped EXE
Uses the VBS compiler for execution
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 20:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 20:12
Reported
2024-04-11 20:15
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe
"C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o-ee7csm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES351A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1EE53906AFA644C7B172EE3D1EDF3E44.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe" C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/3620-0-0x0000000074B20000-0x00000000750D1000-memory.dmp
memory/3620-1-0x0000000074B20000-0x00000000750D1000-memory.dmp
memory/3620-2-0x0000000000D40000-0x0000000000D50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\o-ee7csm.cmdline
| MD5 | 9c6a0203a4b3461c0720284b814b76eb |
| SHA1 | 5ac669e08ddc082ce08f4c9dd5684fcb5b1997ae |
| SHA256 | b1c54229484f55d5beeb4891f30398d292d4b036432d16cefa58f5d0e8735455 |
| SHA512 | d03fd1afb2d1623093e97865e34fd92627871dc560701d78b143e35429e8107faeba261383a323b3201188b2a23b94238b0fd136f7f86a9489610a9395ebcdec |
C:\Users\Admin\AppData\Local\Temp\o-ee7csm.0.vb
| MD5 | b549faf7c5e818186309aeb1690e86e2 |
| SHA1 | bfc123028a7bdc475b00ced6aea89e35047502ab |
| SHA256 | 6307563bf11b7192945cad093c49670269e4d2d719b96568b9a181e7a62e97cc |
| SHA512 | fb14040c7a402d4acebb9aebb4ef3917d0e27759e47eb43f9ab31b1d782635fe411eaa408ad614a8937d1e1c050d660c0bb9cfd9a620823965496500563c1352 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc1EE53906AFA644C7B172EE3D1EDF3E44.TMP
| MD5 | baebd8470b803cb883daf989aad86caa |
| SHA1 | cd4aa97bb181a2c560cdff07e3ec8dfb932d2d9b |
| SHA256 | af3e47c7be9404acf8e496f6f6b7dbfa303181f3d6e01f576751e93e05fec426 |
| SHA512 | fb3672a89875c2c6d6ad0f65f311ee80be9680baa851cad4502b425e079cd29c9357cf5dadd0f98e86c094ee15bc85f1fbbcf279cda155bb7e0a18a5d415c305 |
C:\Users\Admin\AppData\Local\Temp\RES351A.tmp
| MD5 | 152d046919ddf6a5a85215821ffca61b |
| SHA1 | 4d1fbd8b57e367c561ed08e3897e47ce1f042b68 |
| SHA256 | ea1f817246bdceb0170117cf7edc414002546c238653e47c3f53f31a128d4335 |
| SHA512 | f37aed3e5e6090a9e1ca0916018994a7d3d588d4e17743efc50cd3bd1d551dc52696c63bd4e652f1574cff3eb9810053527572b35bcf4afc91aca4528c8c32d3 |
C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe
| MD5 | fdd1d7b83256fd8efc87fbaa944515d9 |
| SHA1 | 2ae38fd1cb2379363a7f5b0162308f3da56e6ab9 |
| SHA256 | bd9b950f77983fc5f37fa61fac42654349b47be840a4fdab91cff2db149366eb |
| SHA512 | 4fc110d3b9c157c0b62d1b3ec2c289c2450db88cb671bbd7e5d1e3b871ba7ad6f8f1bfccfa82fbebee791c51a46949099504e55c03ee5feb5d71994549fee4ad |
memory/3620-20-0x0000000074B20000-0x00000000750D1000-memory.dmp
memory/4856-21-0x0000000074B20000-0x00000000750D1000-memory.dmp
memory/4856-22-0x0000000074B20000-0x00000000750D1000-memory.dmp
memory/4856-24-0x0000000000EB0000-0x0000000000EC0000-memory.dmp
memory/4856-25-0x0000000074B20000-0x00000000750D1000-memory.dmp
memory/4856-26-0x0000000000EB0000-0x0000000000EC0000-memory.dmp
memory/4856-27-0x0000000000EB0000-0x0000000000EC0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 20:12
Reported
2024-04-11 20:15
Platform
win7-20240221-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe
"C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uluwpauv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CA4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C93.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2372-0-0x0000000074810000-0x0000000074DBB000-memory.dmp
memory/2372-1-0x0000000074810000-0x0000000074DBB000-memory.dmp
memory/2372-2-0x00000000021F0000-0x0000000002230000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uluwpauv.cmdline
| MD5 | 1eafcd0ce5515ecf148c45f09dc1ffc4 |
| SHA1 | 700ee5d80f16e52f01f1563c1fe423dd4c85c5c5 |
| SHA256 | e4b46457121292e840bbcf4c9f8fb6af1b9168c082d0b6c8c27f4a6256edb555 |
| SHA512 | 55010472e1e0eb0c17b17757c5debc87d1ddd2e88376721cb506f93ed54ecd2ca02464771f186e226575877471bf281f4ef8021b91d5855531a53728093defcc |
memory/2612-8-0x00000000020A0000-0x00000000020E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uluwpauv.0.vb
| MD5 | 7c8ebbd30dfe79d7bbcdf8d98e82a6cc |
| SHA1 | cb0cf6998583999f677a5240b363338bbaf74efd |
| SHA256 | cfb730692da6973791be07ad6ff94143a48776117290ee44b9351f797014149c |
| SHA512 | 9db76f0e3a617bbe30f61a9d244078394214c622b699dfb9388e2d0a76807f063c6e72a36f5825474b6719a2af5f3e7b1fed4fe00ed0898bb1f21df0b9d374a0 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc3C93.tmp
| MD5 | 084adcc1ad62912808ae4cc6a54be6ab |
| SHA1 | 6b0a1d1764ef8c0866a9aeb3e14f1b69630f1229 |
| SHA256 | e71882aeb39405315ababb30dbc353a7005217e1f59e393018825cda967663da |
| SHA512 | a9801c960516922ae1cff9658796801e2ec2d1fffd5d53efbb49cdd4dec61358ed75c1392ce3136fcb5d6082d80e05de46ac69d808c376e306664df383b1868e |
C:\Users\Admin\AppData\Local\Temp\RES3CA4.tmp
| MD5 | d46414bd1f57e51e9887d979eb6d5754 |
| SHA1 | 9eeb54b411e9bbedfc4076b4315ef78bcd71a47a |
| SHA256 | 8772453feda3cc849e2f8a0036d5f5f180745fefbcbdd15172d9a38f01d5617d |
| SHA512 | 542fbbd6ed3596ca1a76fa3b7ec446ee494eca8d08b6e79fc7d19e062b35c0353b946ff1637cf741f221b6730060517a63cd53c4aa4d85a0a21041b59b0a357a |
C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe
| MD5 | 4beeb6f8121052613ec4cba2423320c8 |
| SHA1 | ea6dfad02d11b31091eacf8980ac18581b5cd937 |
| SHA256 | 64ce53392a7585fe31664464cfca8e3ae2375c4b6d4ac987c5b8fd09957d5bb9 |
| SHA512 | 901346d30ded2be3f703ca2325b02ee2c779876f800d5f0ab662543c80c87a7484e70386d4a521e17a38edfb8e6c134618d6dfaf606a9c851a3946c2f4a19aa0 |
memory/2372-23-0x0000000074810000-0x0000000074DBB000-memory.dmp
memory/2588-24-0x0000000074810000-0x0000000074DBB000-memory.dmp
memory/2588-25-0x00000000020B0000-0x00000000020F0000-memory.dmp
memory/2588-26-0x0000000074810000-0x0000000074DBB000-memory.dmp
memory/2588-28-0x00000000020B0000-0x00000000020F0000-memory.dmp
memory/2588-29-0x0000000074810000-0x0000000074DBB000-memory.dmp
memory/2588-30-0x00000000020B0000-0x00000000020F0000-memory.dmp
memory/2588-31-0x00000000020B0000-0x00000000020F0000-memory.dmp