Malware Analysis Report

2024-11-15 06:11

Sample ID 240407-3f1zeahh64
Target e61c0733eec554b44a88b45bf4255965_JaffaCakes118
SHA256 351478e0165f7dd0c041d73b2163a3cbeb33306f93ef9362b6aa605c586c9c75
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

351478e0165f7dd0c041d73b2163a3cbeb33306f93ef9362b6aa605c586c9c75

Threat Level: Known bad

The file e61c0733eec554b44a88b45bf4255965_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:28

Reported

2024-04-07 23:31

Platform

win7-20240221-en

Max time kernel

162s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1792 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2212 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2212 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2212 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2212 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe
PID 1792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe
PID 1792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe
PID 1792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\srxx1czb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8834.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8833.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/1792-0-0x0000000074390000-0x000000007493B000-memory.dmp

memory/1792-1-0x0000000074390000-0x000000007493B000-memory.dmp

memory/1792-2-0x0000000000450000-0x0000000000490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\srxx1czb.cmdline

MD5 25366dbbddc6c5bd18e824fbc62985e3
SHA1 aed225c96184e119eddfbdbb238fcd6c32d8dbbb
SHA256 70dcf1f3566c2aa7463101f4ce9262a72f8a248812500ef467d5b485bd916039
SHA512 5362cb3e6150f9546646f61b42da6c695d1dd66a0b4a7b3c9e97107dffb1e7a94ddea84f62f007cdef32f2099ce0582b25cd50f60f8c092693da036a709ee533

memory/2212-8-0x0000000000290000-0x00000000002D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\srxx1czb.0.vb

MD5 5589300d037b5b44fc1295b0c90206ae
SHA1 02e71bb7890feb5994d1ccedc2921adf41511718
SHA256 375b40d27d73d33433d5e7638fff47880d11561d91ffd39ea1d49fc785f078c1
SHA512 dd4d17e5f7bf4d9ce28d2bd8ed227cdc2eed7f8aacc4e8c2121ffc09bc86d93c8acd9e404eaec47cbe08671c37aa10050b0f03868523d9494e76e23bc26b3138

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbc8833.tmp

MD5 b8a7846ae295252d08e307b9743d3746
SHA1 e2728d0edea6606f1d4cbf13b32f4ff8a53680d2
SHA256 d91256809f1b75455b827d800626f372950fcf39407990c9641bec3374b73b7d
SHA512 49d200610ed99921d58f7f0cd69ac6b08bb6d7f5402d7e761f67a323515a718dd0f133c3b84224d499db437e85463a580fc25397772575942450daabe20dbea9

C:\Users\Admin\AppData\Local\Temp\RES8834.tmp

MD5 0cfc102326f89c026e9faa143df8c7fb
SHA1 93c33fb35fb161ed2039afc333d2a90bf98ba795
SHA256 a81ff0609e315df1e82612f9e702631578dc0a105462bd0db8b6fc578999fa88
SHA512 773b47d8020d5f2b61c113b02759962843744389d0957cf8b34fd023a3664faf74d439d8da0dc69844fb6f713360ab4399ae525b99028582414b058f587ae417

C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.exe

MD5 a09def80204546ef615e0b84e3a03cae
SHA1 762d3018432a5467e37949ddf48ab3bfc06abb17
SHA256 6c9becc8ce4d7f151235d205649b76bbeeff1cf3b76531239640be58846123a9
SHA512 03ab566d3780c153defa99ffd152264ef282dd96266bc115de08e45d69ae9736f31ae9366ad71adb434395ade023b4e4df8fa4e02724115679386cffb84b2b26

memory/1792-23-0x0000000074390000-0x000000007493B000-memory.dmp

memory/2624-24-0x0000000074390000-0x000000007493B000-memory.dmp

memory/2624-25-0x0000000000B80000-0x0000000000BC0000-memory.dmp

memory/2624-26-0x0000000074390000-0x000000007493B000-memory.dmp

memory/2624-28-0x0000000000B80000-0x0000000000BC0000-memory.dmp

memory/2624-29-0x0000000074390000-0x000000007493B000-memory.dmp

memory/2624-30-0x0000000000B80000-0x0000000000BC0000-memory.dmp

memory/2624-31-0x0000000000B80000-0x0000000000BC0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:28

Reported

2024-04-07 23:30

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2156 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2156 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 376 wrote to memory of 1780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 376 wrote to memory of 1780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 376 wrote to memory of 1780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2156 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe
PID 2156 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe
PID 2156 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\afag3fhf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8424.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB43D1A27EBA4377A9E596FCAE7C92F.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e61c0733eec554b44a88b45bf4255965_JaffaCakes118.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3796 --field-trial-handle=2224,i,17688331074622862378,73816879873678745,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
IE 94.245.104.56:443 tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
GB 172.166.92.12:443 tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
GB 51.140.242.104:443 tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
NL 142.250.179.138:443 tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
NL 142.250.179.138:443 tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 72.246.173.187:80 www.microsoft.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 187.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
GB 13.105.221.16:443 tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2156-0-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/2156-1-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/2156-2-0x0000000001190000-0x00000000011A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\afag3fhf.cmdline

MD5 8fda1d17488dcf596a1c90b4b6bbf426
SHA1 cc3e1a29932d541813221c52afb60eba58ca7205
SHA256 c630e631a116c77966c7a3d4614a40d5373012c5e9661d5bebf65d7c54884b3f
SHA512 f4bd8866e0be0355b36a7f7425ffb96015317a71b2e734cb4a85b1def58c05b8f7e5075aa925a42461101d8eb3262bea623a54feacc899624dfc865a7751ac09

memory/376-8-0x0000000000540000-0x0000000000550000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\afag3fhf.0.vb

MD5 25167c52aee71b3f8092d5e19d8cf1c9
SHA1 ec4fb1d584dff2fcf2dcadeb5204ef267bd7a50f
SHA256 1c25554d58de7631a913773db51c3b08e6bd030c77af127f9a7497d2ab01e89a
SHA512 5b9a659b78b8c50ab76cd2980ee01090b3c7e93ebc44a15a88b583145e8ba9a4243580df198456f038fa492184d5fadef48cffd770ef8324f0211b2f066c5398

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbcFB43D1A27EBA4377A9E596FCAE7C92F.TMP

MD5 4972f4c210ba991f291f5594efb574a6
SHA1 5fd4898cb465cca0c7e59107872b3d4a879c3522
SHA256 b078ff6201a7e2d2ca7a9c15d601652242ffdc2c1f0b1f4f61d64c12cdc41874
SHA512 0380715c8fba2fca440927da9c0341016345b553ae98c6a09344c5ebf4ce20d8bdd479c616588f05e398db801836b8d6c79f671b806793c6ef192717188458e5

C:\Users\Admin\AppData\Local\Temp\RES8424.tmp

MD5 f83588507d39ca22aabab5c661a067d0
SHA1 88c621cd3c457fef843e256858c6b20f4653aa87
SHA256 7933fac3f3aa872ce087e3a30cd3f994583863c06e2ecd8121a3c1a2df243eb5
SHA512 ae1880fccaa9ff8b129e4a1913256083991b04b407f3b0b9bb86d377c4b8fd0d42798cfa7e8ed7583d9043cf1b77d07f05686034492af202763dd27196b5f221

C:\Users\Admin\AppData\Local\Temp\tmp824F.tmp.exe

MD5 37e6325103fa601047fe8def28b18134
SHA1 1ad4ea3c2e944678ea83af11876705b99290a26d
SHA256 2d0b850508a5c52724fd5503088778114d6a9dcbf1f7f3432f7409cb64fc5576
SHA512 1bce9a9461672b72656c012d1711ab1fbabe357d32c2ee5885af5e9994db0ed54fe7ce98e3f8eaf1b0a48eaa9de45c1014de9454c7f48f6e0a41a89dcf36c8c6

memory/2156-21-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/2176-22-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/2176-23-0x0000000001710000-0x0000000001720000-memory.dmp

memory/2176-24-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/2176-26-0x0000000001710000-0x0000000001720000-memory.dmp

memory/2176-27-0x0000000074D20000-0x00000000752D1000-memory.dmp

memory/2176-28-0x0000000001710000-0x0000000001720000-memory.dmp

memory/2176-29-0x0000000001710000-0x0000000001720000-memory.dmp