Analysis Overview
SHA256
a78d29187a50431c5865c0e25979055dfb76737a12c2bfdee725013d056fe471
Threat Level: Known bad
The file e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Uses the VBS compiler for execution
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 00:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 00:36
Reported
2024-04-09 00:39
Platform
win7-20240215-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp16BC.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp16BC.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp16BC.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7xhqborh.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1759.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1758.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp16BC.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp16BC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | tcp |
Files
memory/2072-1-0x0000000001FE0000-0x0000000002020000-memory.dmp
memory/2072-0-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/2072-2-0x0000000074AD0000-0x000000007507B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7xhqborh.cmdline
| MD5 | 547ecf71041cb3ef34665ad4a256619a |
| SHA1 | 3c6073a5138f1bfbe548096d4b68fcd851b9939f |
| SHA256 | 095f16ef596dc0d1a9ce1e312d0584e9b4711129c2c9c4c20470073fd093e3b0 |
| SHA512 | 6dbb583d2d0f07f19b190596c8b22d27a1a999f4c45dd527278fdbf8601ceaa28611b14b78896e97714b933c99d895f1b865101730e8c28b18b1e22d55a649b3 |
C:\Users\Admin\AppData\Local\Temp\7xhqborh.0.vb
| MD5 | 823b1eb86def5e3e63b20d9afa17c4c7 |
| SHA1 | 916baed6275a978ac1d22342670054b4ee20b000 |
| SHA256 | d05ed3426af9b45a94c0e5d8dc196f6fa3422a49a4eddbcfd49959b63f279c31 |
| SHA512 | 762255cad7bd78cf53152adea57084bf3e9ea05ed74090d2888abf9a10ec6bb1333cc09bc621e71f14f261c2db532da515446b251a636d93cbe45f57610da656 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 6870a276e0bed6dd5394d178156ebad0 |
| SHA1 | 9b6005e5771bb4afb93a8862b54fe77dc4d203ee |
| SHA256 | 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4 |
| SHA512 | 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809 |
C:\Users\Admin\AppData\Local\Temp\vbc1758.tmp
| MD5 | 0c120cad3bc4ab00dab2fb841581938c |
| SHA1 | 4ffac40b8cb60a978212f130ba7d6998bb10043c |
| SHA256 | 01249e81f4aa72b8dacce179d1b8df0a5c269d4b4c2ef8b4c42e3d2dde6eaa15 |
| SHA512 | 4113011718f459f49ef7aae8d52e7589a0c682ec74f3fb63204fc7cca6f056a17183dc09fb195d98bd98ae2daacef231cee23e0e273517b9bc2523c6eac5d918 |
C:\Users\Admin\AppData\Local\Temp\tmp16BC.tmp.exe
| MD5 | 97d7d98d9f0fb29856eb408e4a6c899f |
| SHA1 | 6faff0b1d7b215a2609418135bf1330c47ae245f |
| SHA256 | 86c64660f8f1ffebb522f7de13d9b6732de495700c25523f675d8289b0d67ead |
| SHA512 | 68dda89c1fb684d7d2fe77706ca061da22287617ddcf87565adae2a3f75c484f05728fc4043223acc0bdf07a88e97d8bb451a476e6be598355e7b0b892c2d983 |
C:\Users\Admin\AppData\Local\Temp\RES1759.tmp
| MD5 | 9eea1dc3a74465a144ccdac289794af5 |
| SHA1 | 4486b7d0870c42a97c3a81b26e2ca75ba2d550e1 |
| SHA256 | ca85e251c38f977ff553a95e3f7010a3676ad47724032d08fbe5dd91b882bce0 |
| SHA512 | 5bf8cf16913e58624acb94c8684b636421216c4afb0294c2cd6597520c7fc26489865993b5e15f0bf2ac4989a61b7f941dd1d9ba9995cadf60b37a1229350aaf |
memory/2592-23-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/2592-24-0x0000000000BA0000-0x0000000000BE0000-memory.dmp
memory/2592-25-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/2072-22-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/2592-27-0x0000000000BA0000-0x0000000000BE0000-memory.dmp
memory/2592-28-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/2592-29-0x0000000000BA0000-0x0000000000BE0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 00:36
Reported
2024-04-09 00:39
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g5vdoxwt.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6BC49DA5BF824CB5B7D772CF717C2680.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | tcp |
Files
memory/1400-0-0x0000000074C10000-0x00000000751C1000-memory.dmp
memory/1400-1-0x0000000074C10000-0x00000000751C1000-memory.dmp
memory/1400-2-0x0000000001A00000-0x0000000001A10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\g5vdoxwt.cmdline
| MD5 | f7fda0845214bd3d6d9f65be2d069ec2 |
| SHA1 | e5c5ed828498d67531adbff787cf66e5818c7adc |
| SHA256 | a47b5f6fcba98366ec322aaebab1168ed2815d84e686369d2a5dbc7e9f20747d |
| SHA512 | 6efbcaaa2d7c6f5f2dd824ab46daed14e8549f6fe8b75440bc68597415eb7ce2e98d571e5a14503f9c739d2572b9dfc0728fa9dd3b26b2a0b645c04f56beefbe |
memory/4300-8-0x0000000002400000-0x0000000002410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\g5vdoxwt.0.vb
| MD5 | 054378a57a4c9547d7ec9a8b690c2d60 |
| SHA1 | 181f868f54542e98b22abefcbf32ac32611dc172 |
| SHA256 | fed81a9d3d6d60d533d151d7e1d68060420b2539b0bb7ffe3c72aec837d2328a |
| SHA512 | 33dbc1a7a4af4d2cf257c052d4c256a7fac336d3fa925a8c04d3b7e5c5ca73330ece2cf5a5125e38859506821cd538fdf6b8366a1f46f8f78046cd44267433b8 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 6870a276e0bed6dd5394d178156ebad0 |
| SHA1 | 9b6005e5771bb4afb93a8862b54fe77dc4d203ee |
| SHA256 | 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4 |
| SHA512 | 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809 |
C:\Users\Admin\AppData\Local\Temp\vbc6BC49DA5BF824CB5B7D772CF717C2680.TMP
| MD5 | bfc14c97113e7bf86d735c4624cbbbc1 |
| SHA1 | 94d97a4c96d6399d5bc2b825b355c82d44f72467 |
| SHA256 | 05a9281e8a9d470aab7c22a9059350957201f008ec47834bc82230ebf4c94d0d |
| SHA512 | 2dc9df37ef061ff0069412f0fdb897bcf4fee7a6a73941a4cc3d571a2702055dba86a1759ddd19c7b63054481eccd57ed6bd7e02d937b87e20eab6f7da2b6aa7 |
C:\Users\Admin\AppData\Local\Temp\RES37AA.tmp
| MD5 | aa0925686b6b0959f91a4e9bcce05376 |
| SHA1 | 9ba2e34e566d09a7fc8234496e1f7d3985417920 |
| SHA256 | b22f8ce579efd820885f29f83182fc026699c9c156802de205e2ec608be42371 |
| SHA512 | 5e5cb4a51c0d33584cd32eaf53428a29e818fd1ee3395ba1d55d74ea047711f4d65736bdaecb573796e8b75c017c1418fd0949ccb8b2b93b188d5837f685387e |
C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp.exe
| MD5 | 4c2bc8182affb695bc645ef5c4a54c34 |
| SHA1 | 15b9b95f42c1ffc7aa35f172511a1ae90b190d66 |
| SHA256 | 7e681457f4860f7d18653e9c959db1d9583c6707e70012b564fbda2cc2454c2d |
| SHA512 | 73cd5f4be944fa87378129e8d6ca90f478fe046f54dde42efd7d894aa490fd60d08a83c2fc8a7713e8d4535335c449aba3ff1b63905f51f5889d3fe8d2923638 |
memory/3848-22-0x0000000074C10000-0x00000000751C1000-memory.dmp
memory/1400-21-0x0000000074C10000-0x00000000751C1000-memory.dmp
memory/3848-23-0x0000000000D60000-0x0000000000D70000-memory.dmp
memory/3848-24-0x0000000074C10000-0x00000000751C1000-memory.dmp
memory/3848-26-0x0000000000D60000-0x0000000000D70000-memory.dmp
memory/3848-27-0x0000000074C10000-0x00000000751C1000-memory.dmp
memory/3848-28-0x0000000000D60000-0x0000000000D70000-memory.dmp
memory/3848-29-0x0000000000D60000-0x0000000000D70000-memory.dmp