Analysis Overview
SHA256
d91c05a3eff0a8efe68dcede65775c3e246b47125fda5ccbe0f9a592b440b857
Threat Level: Known bad
The file e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Checks computer location settings
Executes dropped EXE
Uses the VBS compiler for execution
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 08:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 08:35
Reported
2024-04-08 08:37
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp33B2.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp33B2.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp33B2.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r_rsxecb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES347D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc77F5433D4E4D41929CA948C1A6A4981D.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp33B2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp33B2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/4280-1-0x0000000001580000-0x0000000001590000-memory.dmp
memory/4280-0-0x0000000075150000-0x0000000075701000-memory.dmp
memory/4280-2-0x0000000075150000-0x0000000075701000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\r_rsxecb.cmdline
| MD5 | e22e1fac1ef1f620bc7a43e0493b6067 |
| SHA1 | 70e024af78c5f2299af0c692c2990b239414c993 |
| SHA256 | 5c07e141ba16003db63663783cb1a0adee76e657444ef9905f29a4c6dba4d2b2 |
| SHA512 | 2a18d9fa7adae576cdbc40f903aee52954268a947d39713b78e7d26df76d78748b8432ea5cb530d5bdb3301dc13629ce596f3eea2c30403e97c3e22bb0a9ec77 |
memory/5052-8-0x00000000006E0000-0x00000000006F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\r_rsxecb.0.vb
| MD5 | 435818a9a2336c4be6d852fb2ddc0a85 |
| SHA1 | 7deee0508b30bdccc70cd0bbbffe1d3dcc645021 |
| SHA256 | 1df6b8dfb703fe8e44af387ecb4fdfab311700c2a12575316bd06351237c2111 |
| SHA512 | 513478fd8e2c9b34e4634d675da20f81099c0271a7668c91405d07f85e3330b7f3271aa543a2e79792c6fd74f5023cd7ba4d4b001c3b6ff86bd192d42f9e88bb |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc77F5433D4E4D41929CA948C1A6A4981D.TMP
| MD5 | f70c7fcf295bbb88db3d782d5c91085d |
| SHA1 | a8e2aa95bfc8f695a4e212f7006ccac61f9ab360 |
| SHA256 | f437d25318d421d57907a21edee29de8b15244087430183a6658b27a2999b9da |
| SHA512 | 9d784f346c4d7f4c636946e45c9b19f8caad998553f1e5dfbea7199c75b5580c32f04bcefee08ab8674d144b7ea30ab0041041eb8b4bab7481037e3eb80da871 |
C:\Users\Admin\AppData\Local\Temp\RES347D.tmp
| MD5 | b1b4171b3ef71c761ea9f69a46830714 |
| SHA1 | 002b1bcbd97baf618bf62ef6c4bc990cc6b898fb |
| SHA256 | 6e02ec9aa90efeddfaca19624a8e370abfcffd6bae9383283cde0ae62ee225ff |
| SHA512 | 9ce72e8f2cb098f327c0edf3535b560815680edba6ec0afea2ed003bcc4e2329fc8b553cd2ae0f83107fba2c5a0c6fb38d31ec535c458b4b6d2c259819bbfd01 |
C:\Users\Admin\AppData\Local\Temp\tmp33B2.tmp.exe
| MD5 | def6e676b4724e9ee2a7a25ddb4f9653 |
| SHA1 | c66840a75ef916ac93cc6e0033d7c4c5004c481d |
| SHA256 | 951e8720e10696e814168dda395a3bb210d1bc9a04a31d4a37730c1c416d146c |
| SHA512 | e8f4ea8c408dfdf9d988f5a3cc352aff2551158c869bc976039bd106a4c318af2ac14bcfad1d4f769b4676db99c96696d26d3f53636612d102705646fc33b231 |
memory/4280-21-0x0000000075150000-0x0000000075701000-memory.dmp
memory/4124-22-0x0000000075150000-0x0000000075701000-memory.dmp
memory/4124-23-0x00000000011F0000-0x0000000001200000-memory.dmp
memory/4124-24-0x0000000075150000-0x0000000075701000-memory.dmp
memory/4124-26-0x00000000011F0000-0x0000000001200000-memory.dmp
memory/4124-27-0x0000000075150000-0x0000000075701000-memory.dmp
memory/4124-28-0x00000000011F0000-0x0000000001200000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 08:35
Reported
2024-04-08 08:37
Platform
win7-20240221-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp25C9.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp25C9.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp25C9.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bstgaruu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2666.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2665.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp25C9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp25C9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e70e6981b147592d7ae3f9a8f30f0073_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | hackorchronix.no-ip.biz | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2992-0-0x0000000074660000-0x0000000074C0B000-memory.dmp
memory/2992-1-0x0000000000CA0000-0x0000000000CE0000-memory.dmp
memory/2992-2-0x0000000074660000-0x0000000074C0B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bstgaruu.cmdline
| MD5 | c3f39559f4e0da0d0960d97c1b030a30 |
| SHA1 | c3beaecaa98278b1490f59345bfcaef43fdb9438 |
| SHA256 | 288361ef135f1901782ca6c8219f1a80df19f3266b683ba10a0a391d30772185 |
| SHA512 | 1daa281388d057e925a285c5c8d31cdf07829f05d17daa248f92b4a486b4dba4a9d876fd5f97bdfbc63e42083de31074c7daf146284217912e14dac965f27970 |
C:\Users\Admin\AppData\Local\Temp\bstgaruu.0.vb
| MD5 | efdaa6cbf7e3d30ad9f5db26ef5100ba |
| SHA1 | 47824567fd927d2f43281e347bad3b4677062448 |
| SHA256 | 5d0ca67ca358282b5c9cf2dfbe9a81926229c86be6c37c1f2eae079fc6d57785 |
| SHA512 | 802efba6b2ed1d9189613c8a23cb485d7e7b106f5e63018a896638f9c6ecf12c38ad0f3133f4a51386608b177ffea1519568546d94055c5a75814adfdd9d857c |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| SHA512 | 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65 |
C:\Users\Admin\AppData\Local\Temp\vbc2665.tmp
| MD5 | 9069b7300823e3eaa33d586de83887ba |
| SHA1 | f01028d5eddb5b8df13cce709f7be815de7d7bf3 |
| SHA256 | 016cf662ab8ed0ad38933ec60e79b48b9c78fc94ab499c75c568decdde725a59 |
| SHA512 | 868f2eb891835d5c267770b37110d2d72ba1fb80545c016d085f708dc8783d013e0d76e0a984e3253d0396c84bed72091aa7b789b73f5e0a06e3e43cb4a6ac8e |
C:\Users\Admin\AppData\Local\Temp\RES2666.tmp
| MD5 | f3702b2a21a3a7dce581f3d00e2c04ed |
| SHA1 | a8f65b9014dcc7e12d25258885430571012174d5 |
| SHA256 | bb9fc64d3b96adaab6b4de71fc21f93fdb87498a9f20e83ce742933dcf26086b |
| SHA512 | b88211117acc417b575fbecc534df51e770d848c940efc8f6a4279aeae5dd3965d4277efe21ba554affabc462a464e5c5eca785876298f225b5e3feb6816c575 |
C:\Users\Admin\AppData\Local\Temp\tmp25C9.tmp.exe
| MD5 | 014c3447753049778a4fdcdeb9c1fed5 |
| SHA1 | 0e075cf596585e9a064eec2f0a2503c5b43aae0a |
| SHA256 | 348b3d231e932f409fd94b945c3f4cf3602ba39c33b48a3fd021cffdf1397e80 |
| SHA512 | 36efaa38f73811723d4bbd39ed085dacdf63002616e00d41647838ebf6cad1841639ed86e5f0e2abc7d5e93f2841c2ee36c1faffbccd53c33ce2e164ce8be584 |
memory/2652-23-0x0000000074660000-0x0000000074C0B000-memory.dmp
memory/2652-24-0x0000000000120000-0x0000000000160000-memory.dmp
memory/2992-22-0x0000000074660000-0x0000000074C0B000-memory.dmp
memory/2652-25-0x0000000074660000-0x0000000074C0B000-memory.dmp
memory/2652-27-0x0000000000120000-0x0000000000160000-memory.dmp
memory/2652-28-0x0000000074660000-0x0000000074C0B000-memory.dmp
memory/2652-29-0x0000000000120000-0x0000000000160000-memory.dmp
memory/2652-30-0x0000000000120000-0x0000000000160000-memory.dmp