Analysis Overview
SHA256
d3244998b8740c3d48741aac18fcbc3db4495712af27b2eb0b7b0cdc4202e3f2
Threat Level: Known bad
The file d3244998b8740c3d48741aac18fcbc3db4495712af27b2eb0b7b0cdc4202e3f2 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Executes dropped EXE
Uses the VBS compiler for execution
Checks computer location settings
Deletes itself
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-12 01:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-12 01:53
Reported
2024-04-12 01:56
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d3244998b8740c3d48741aac18fcbc3db4495712af27b2eb0b7b0cdc4202e3f2.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp5544.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp5544.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp5544.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d3244998b8740c3d48741aac18fcbc3db4495712af27b2eb0b7b0cdc4202e3f2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp5544.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d3244998b8740c3d48741aac18fcbc3db4495712af27b2eb0b7b0cdc4202e3f2.exe
"C:\Users\Admin\AppData\Local\Temp\d3244998b8740c3d48741aac18fcbc3db4495712af27b2eb0b7b0cdc4202e3f2.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hdc-0rug.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5738.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8E0EFC2384D45729ACF2B3478E5DFDF.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp5544.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5544.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d3244998b8740c3d48741aac18fcbc3db4495712af27b2eb0b7b0cdc4202e3f2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2920-0-0x0000000074BF0000-0x00000000751A1000-memory.dmp
memory/2920-1-0x0000000074BF0000-0x00000000751A1000-memory.dmp
memory/2920-3-0x00000000008B0000-0x00000000008C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hdc-0rug.cmdline
| MD5 | 95d9279ad24a7a103f91267f2f666238 |
| SHA1 | f3144b2092c27b0ba20ffe2e09fc1008e1db3e00 |
| SHA256 | 498b93097dbeb482cb95ad8f84099cbd071fc0b4550c7504f34a810294be5bdd |
| SHA512 | 6b73ebfe8314c8068aa89cfced0a5c77e7194a80da71efc2c60a6d53974eeebac5f1a1a43d22540d28807424aa7e5658f019d05d74f4a1b362fdfd41636f3cdc |
memory/2228-8-0x00000000025E0000-0x00000000025F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hdc-0rug.0.vb
| MD5 | 592a35a45f432a51384bcb855126a90f |
| SHA1 | 592b18fc953b3fc7041cafb66a74afd8982e2a12 |
| SHA256 | be7363d70950bfd18bf0bf4d428bf419e21c99dae76f065f7b4e5e1123236e9a |
| SHA512 | 9a1e9da7e6efcfe71159088d8395592a2d498ae835d86eab45701bbe599c354a17960fe63ba6dbda387b601c7681617986039b1c1ff9fafb45a93f470b21014c |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbcF8E0EFC2384D45729ACF2B3478E5DFDF.TMP
| MD5 | ac21308fe40cf2f1cad328771a7e2644 |
| SHA1 | c0a9c077dab800ad29a8c780cc6cba535179b325 |
| SHA256 | 48e2776dd72a9bac66e9052ba89a7ca22bb43ff335e4e0d375ee71f62b6c504f |
| SHA512 | 852bf5b43ce5d338df29f2a37a7686fb23adccfae8a876d196b98f063c0d3b85a8adf4f3c9524975d9f9edbc635f924dbd9bdd267bbd01024ca5f17a25ec94d0 |
C:\Users\Admin\AppData\Local\Temp\tmp5544.tmp.exe
| MD5 | 7f1c7dcdbbd0320b5fc71d3e22c149cc |
| SHA1 | 43e0566e118ab562a926c3a0b4fbe4a43842f466 |
| SHA256 | 0e8998b7556142928b85a109b10eb8ea71351270169bf45bc6a2e94b6f1fb7cd |
| SHA512 | ed98e786c31229755b4acd49d3e51596c943dcece1d1adf6574da050fc22a4b6c70ec1d4e05560f3deb5f17472a9b8d67326812dcff66797193203eecae78a50 |
C:\Users\Admin\AppData\Local\Temp\RES5738.tmp
| MD5 | c36204f64cbdf39ea26784cb63f2d68e |
| SHA1 | 3a7c1da13bf9bdef4b28e5773d4e26147f2bdbc9 |
| SHA256 | 89254d9f1245aefc9f2f1444f08e3d89380d2901484f8b43e609865d5163bce4 |
| SHA512 | 8a318fdd7667a5726c9f889ea21eeed3d0fbdd7fe12bda1b1c431f1f39f8e8c9cb9106345daee824ebcb718093b6c559ee6820501054f3ad251d450ed9c00ee7 |
memory/2920-21-0x0000000074BF0000-0x00000000751A1000-memory.dmp
memory/1956-22-0x0000000074BF0000-0x00000000751A1000-memory.dmp
memory/1956-23-0x0000000001460000-0x0000000001470000-memory.dmp
memory/1956-24-0x0000000074BF0000-0x00000000751A1000-memory.dmp
memory/1956-26-0x0000000001460000-0x0000000001470000-memory.dmp
memory/1956-27-0x0000000074BF0000-0x00000000751A1000-memory.dmp
memory/1956-28-0x0000000001460000-0x0000000001470000-memory.dmp
memory/1956-29-0x0000000001460000-0x0000000001470000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-12 01:53
Reported
2024-04-12 01:56
Platform
win7-20240221-en
Max time kernel
141s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp401C.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d3244998b8740c3d48741aac18fcbc3db4495712af27b2eb0b7b0cdc4202e3f2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d3244998b8740c3d48741aac18fcbc3db4495712af27b2eb0b7b0cdc4202e3f2.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp401C.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d3244998b8740c3d48741aac18fcbc3db4495712af27b2eb0b7b0cdc4202e3f2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp401C.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d3244998b8740c3d48741aac18fcbc3db4495712af27b2eb0b7b0cdc4202e3f2.exe
"C:\Users\Admin\AppData\Local\Temp\d3244998b8740c3d48741aac18fcbc3db4495712af27b2eb0b7b0cdc4202e3f2.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p78g9dwy.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4184.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4183.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp401C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp401C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d3244998b8740c3d48741aac18fcbc3db4495712af27b2eb0b7b0cdc4202e3f2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2252-0-0x00000000745B0000-0x0000000074B5B000-memory.dmp
memory/2252-1-0x00000000745B0000-0x0000000074B5B000-memory.dmp
memory/2252-2-0x00000000020A0000-0x00000000020E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\p78g9dwy.cmdline
| MD5 | 356aa74df5b753ca5af773ec0b671cc0 |
| SHA1 | ac4ada29e9c40ddc7d78193b9ab733fd96f9dea3 |
| SHA256 | 3808d6ab814b8dbca7c3a1d4184a21199c0a10a72b96f227b2c8888f7c3d2bf2 |
| SHA512 | 05d3add644f0539807e0fc9457cfae85d0afeb1e85154ebd289bd7f7ffc86ebb3e79cb6afa719ac562a248f7f9a829d46b4bd332e5286fb9e482d1ce8ac66921 |
C:\Users\Admin\AppData\Local\Temp\p78g9dwy.0.vb
| MD5 | 435c44a6130dcb8cccf634adaef8c4f0 |
| SHA1 | 5315775a090190b62ee103333df30b05c8ef0ff6 |
| SHA256 | 783283acb08fa654a69c18807d42cdb5a36123d95736e278d1f23d9dafa07fcb |
| SHA512 | 0187e15f1a0cd45caf81b48cdeb1e5bf93e4c3562130ac1e5e0dee96ba5ebf6e3f23ab169862e5b0a5b3cd4af5888792a3824bedf32f8e57d18a454799bf6d2d |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc4183.tmp
| MD5 | 2c5944f19455f2c2dbb57e34a1dce468 |
| SHA1 | b3683d28c4b295e4f45a1fdb41b45691f9752f7a |
| SHA256 | 0341e2e635c9be72a1be6f4035cfe89cd3f7d8270ac5bfd32f25941f7e7e88db |
| SHA512 | 95fe59293154a4683aa1bd3a024fa54cc4676f1cbce551a6772bad5732aae450f5bbaee6179ff69e329b141df8cd8f4689b98d5ff0bfdc9738c51a4450d38fb1 |
C:\Users\Admin\AppData\Local\Temp\RES4184.tmp
| MD5 | 5f5e22e8a42faa8455be6239ec3d048e |
| SHA1 | e085094b6707d5c12cee49ecf47035f2e48d18e6 |
| SHA256 | 2b2c0706b97015394f6cd90addb482ce54c60307ef0e8588474d12c511c46abe |
| SHA512 | 5fd7db61695e7afd88eab49071da344663b08dfbf69d14c99bcead1be28ec1ffb2f2efa878cfa2e989c34e61b9cd3de573c910e64893e28800e2fb9109c0eba0 |
C:\Users\Admin\AppData\Local\Temp\tmp401C.tmp.exe
| MD5 | 685ae5796812b7030e6178574f698b5b |
| SHA1 | 936cd5f298f4215c918a73804a56969e7f78c4ae |
| SHA256 | 897321ced55f4d9486aa51f74fad72aaf496da17b1ad1edf80e7cad04e169c89 |
| SHA512 | 61e83983da62578c0bf7bad53fadc510d9c7e20ec89685c3151ee8c9182bf3f9352f7ce5adac02ead27e3c59a569195d4304a56130c1a28b02043a17debd7b59 |
memory/2252-22-0x00000000745B0000-0x0000000074B5B000-memory.dmp
memory/2452-23-0x00000000745B0000-0x0000000074B5B000-memory.dmp
memory/2452-24-0x0000000000550000-0x0000000000590000-memory.dmp
memory/2452-25-0x00000000745B0000-0x0000000074B5B000-memory.dmp
memory/2452-27-0x0000000000550000-0x0000000000590000-memory.dmp
memory/2452-28-0x00000000745B0000-0x0000000074B5B000-memory.dmp
memory/2452-29-0x0000000000550000-0x0000000000590000-memory.dmp
memory/2452-30-0x0000000000550000-0x0000000000590000-memory.dmp