Analysis Overview
SHA256
351478e0165f7dd0c041d73b2163a3cbeb33306f93ef9362b6aa605c586c9c75
Threat Level: Known bad
The file e61c0733eec554b44a88b45bf4255965_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:28
Reported
2024-04-07 23:31
Platform
win7-20240221-en
Max time kernel
162s
Max time network
170s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\srxx1czb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8834.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8833.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/1792-0-0x0000000074390000-0x000000007493B000-memory.dmp
memory/1792-1-0x0000000074390000-0x000000007493B000-memory.dmp
memory/1792-2-0x0000000000450000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\srxx1czb.cmdline
| MD5 | 25366dbbddc6c5bd18e824fbc62985e3 |
| SHA1 | aed225c96184e119eddfbdbb238fcd6c32d8dbbb |
| SHA256 | 70dcf1f3566c2aa7463101f4ce9262a72f8a248812500ef467d5b485bd916039 |
| SHA512 | 5362cb3e6150f9546646f61b42da6c695d1dd66a0b4a7b3c9e97107dffb1e7a94ddea84f62f007cdef32f2099ce0582b25cd50f60f8c092693da036a709ee533 |
memory/2212-8-0x0000000000290000-0x00000000002D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\srxx1czb.0.vb
| MD5 | 5589300d037b5b44fc1295b0c90206ae |
| SHA1 | 02e71bb7890feb5994d1ccedc2921adf41511718 |
| SHA256 | 375b40d27d73d33433d5e7638fff47880d11561d91ffd39ea1d49fc785f078c1 |
| SHA512 | dd4d17e5f7bf4d9ce28d2bd8ed227cdc2eed7f8aacc4e8c2121ffc09bc86d93c8acd9e404eaec47cbe08671c37aa10050b0f03868523d9494e76e23bc26b3138 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 6870a276e0bed6dd5394d178156ebad0 |
| SHA1 | 9b6005e5771bb4afb93a8862b54fe77dc4d203ee |
| SHA256 | 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4 |
| SHA512 | 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809 |
C:\Users\Admin\AppData\Local\Temp\vbc8833.tmp
| MD5 | b8a7846ae295252d08e307b9743d3746 |
| SHA1 | e2728d0edea6606f1d4cbf13b32f4ff8a53680d2 |
| SHA256 | d91256809f1b75455b827d800626f372950fcf39407990c9641bec3374b73b7d |
| SHA512 | 49d200610ed99921d58f7f0cd69ac6b08bb6d7f5402d7e761f67a323515a718dd0f133c3b84224d499db437e85463a580fc25397772575942450daabe20dbea9 |
C:\Users\Admin\AppData\Local\Temp\RES8834.tmp
| MD5 | 0cfc102326f89c026e9faa143df8c7fb |
| SHA1 | 93c33fb35fb161ed2039afc333d2a90bf98ba795 |
| SHA256 | a81ff0609e315df1e82612f9e702631578dc0a105462bd0db8b6fc578999fa88 |
| SHA512 | 773b47d8020d5f2b61c113b02759962843744389d0957cf8b34fd023a3664faf74d439d8da0dc69844fb6f713360ab4399ae525b99028582414b058f587ae417 |
C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe
| MD5 | a09def80204546ef615e0b84e3a03cae |
| SHA1 | 762d3018432a5467e37949ddf48ab3bfc06abb17 |
| SHA256 | 6c9becc8ce4d7f151235d205649b76bbeeff1cf3b76531239640be58846123a9 |
| SHA512 | 03ab566d3780c153defa99ffd152264ef282dd96266bc115de08e45d69ae9736f31ae9366ad71adb434395ade023b4e4df8fa4e02724115679386cffb84b2b26 |
memory/1792-23-0x0000000074390000-0x000000007493B000-memory.dmp
memory/2624-24-0x0000000074390000-0x000000007493B000-memory.dmp
memory/2624-25-0x0000000000B80000-0x0000000000BC0000-memory.dmp
memory/2624-26-0x0000000074390000-0x000000007493B000-memory.dmp
memory/2624-28-0x0000000000B80000-0x0000000000BC0000-memory.dmp
memory/2624-29-0x0000000074390000-0x000000007493B000-memory.dmp
memory/2624-30-0x0000000000B80000-0x0000000000BC0000-memory.dmp
memory/2624-31-0x0000000000B80000-0x0000000000BC0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:28
Reported
2024-04-07 23:30
Platform
win10v2004-20240319-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\afag3fhf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8424.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB43D1A27EBA4377A9E596FCAE7C92F.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3796 --field-trial-handle=2224,i,17688331074622862378,73816879873678745,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| IE | 94.245.104.56:443 | tcp | |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| GB | 172.166.92.12:443 | tcp | |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| GB | 51.140.242.104:443 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| NL | 142.250.179.138:443 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| NL | 142.250.179.138:443 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 72.246.173.187:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 187.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| GB | 13.105.221.16:443 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2156-0-0x0000000074D20000-0x00000000752D1000-memory.dmp
memory/2156-1-0x0000000074D20000-0x00000000752D1000-memory.dmp
memory/2156-2-0x0000000001190000-0x00000000011A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\afag3fhf.cmdline
| MD5 | 8fda1d17488dcf596a1c90b4b6bbf426 |
| SHA1 | cc3e1a29932d541813221c52afb60eba58ca7205 |
| SHA256 | c630e631a116c77966c7a3d4614a40d5373012c5e9661d5bebf65d7c54884b3f |
| SHA512 | f4bd8866e0be0355b36a7f7425ffb96015317a71b2e734cb4a85b1def58c05b8f7e5075aa925a42461101d8eb3262bea623a54feacc899624dfc865a7751ac09 |
memory/376-8-0x0000000000540000-0x0000000000550000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\afag3fhf.0.vb
| MD5 | 25167c52aee71b3f8092d5e19d8cf1c9 |
| SHA1 | ec4fb1d584dff2fcf2dcadeb5204ef267bd7a50f |
| SHA256 | 1c25554d58de7631a913773db51c3b08e6bd030c77af127f9a7497d2ab01e89a |
| SHA512 | 5b9a659b78b8c50ab76cd2980ee01090b3c7e93ebc44a15a88b583145e8ba9a4243580df198456f038fa492184d5fadef48cffd770ef8324f0211b2f066c5398 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 6870a276e0bed6dd5394d178156ebad0 |
| SHA1 | 9b6005e5771bb4afb93a8862b54fe77dc4d203ee |
| SHA256 | 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4 |
| SHA512 | 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809 |
C:\Users\Admin\AppData\Local\Temp\vbcFB43D1A27EBA4377A9E596FCAE7C92F.TMP
| MD5 | 4972f4c210ba991f291f5594efb574a6 |
| SHA1 | 5fd4898cb465cca0c7e59107872b3d4a879c3522 |
| SHA256 | b078ff6201a7e2d2ca7a9c15d601652242ffdc2c1f0b1f4f61d64c12cdc41874 |
| SHA512 | 0380715c8fba2fca440927da9c0341016345b553ae98c6a09344c5ebf4ce20d8bdd479c616588f05e398db801836b8d6c79f671b806793c6ef192717188458e5 |
C:\Users\Admin\AppData\Local\Temp\RES8424.tmp
| MD5 | f83588507d39ca22aabab5c661a067d0 |
| SHA1 | 88c621cd3c457fef843e256858c6b20f4653aa87 |
| SHA256 | 7933fac3f3aa872ce087e3a30cd3f994583863c06e2ecd8121a3c1a2df243eb5 |
| SHA512 | ae1880fccaa9ff8b129e4a1913256083991b04b407f3b0b9bb86d377c4b8fd0d42798cfa7e8ed7583d9043cf1b77d07f05686034492af202763dd27196b5f221 |
C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe
| MD5 | 37e6325103fa601047fe8def28b18134 |
| SHA1 | 1ad4ea3c2e944678ea83af11876705b99290a26d |
| SHA256 | 2d0b850508a5c52724fd5503088778114d6a9dcbf1f7f3432f7409cb64fc5576 |
| SHA512 | 1bce9a9461672b72656c012d1711ab1fbabe357d32c2ee5885af5e9994db0ed54fe7ce98e3f8eaf1b0a48eaa9de45c1014de9454c7f48f6e0a41a89dcf36c8c6 |
memory/2156-21-0x0000000074D20000-0x00000000752D1000-memory.dmp
memory/2176-22-0x0000000074D20000-0x00000000752D1000-memory.dmp
memory/2176-23-0x0000000001710000-0x0000000001720000-memory.dmp
memory/2176-24-0x0000000074D20000-0x00000000752D1000-memory.dmp
memory/2176-26-0x0000000001710000-0x0000000001720000-memory.dmp
memory/2176-27-0x0000000074D20000-0x00000000752D1000-memory.dmp
memory/2176-28-0x0000000001710000-0x0000000001720000-memory.dmp
memory/2176-29-0x0000000001710000-0x0000000001720000-memory.dmp