Analysis Overview
SHA256
b67841f190d5eefa0af36bffcf65ac83f994479d912d50bc71ffa314d07236c9
Threat Level: Known bad
The file e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Uses the VBS compiler for execution
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 05:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 05:59
Reported
2024-04-09 06:02
Platform
win7-20240221-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wfibnhjq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc52A2.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/1736-0-0x0000000074E00000-0x00000000753AB000-memory.dmp
memory/1736-1-0x0000000074E00000-0x00000000753AB000-memory.dmp
memory/1736-2-0x00000000020D0000-0x0000000002110000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wfibnhjq.cmdline
| MD5 | 1e2e2495cbfad8c5caf0284e62b807a6 |
| SHA1 | 66754dc40cddb902ac20db9aa1ca72eb17f5091f |
| SHA256 | 4b974eca9cdbf252adcc6d4016b48768ec50b2b341f6e035852aab0b5c4c04c4 |
| SHA512 | 0062362ca77db03a4a2eedbe2454f927e1e8d494279628413c452d59f68254102693c6e3c6d5f0e4a344fff1ad5388639d537c041f8304a62661b05baa6151ed |
memory/2500-8-0x0000000000550000-0x0000000000590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wfibnhjq.0.vb
| MD5 | ca270a13ada72102114acd3c22efcaa0 |
| SHA1 | f1151b41b034b879ccf497913b953f52b8ff3deb |
| SHA256 | a65f97b37d2e361078db6bd33a4a2f6bd5f216ab56dded2d33bd612873903e3b |
| SHA512 | 0bffa8f5dd927f204f7f19e5f26bf854de7b795e49bd7cb8c970ac29c66b4fc606a0fe480b985cdea4c9d8a2a93a93334e26cf8e81c0df6629b017a80cdded07 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbc52A2.tmp
| MD5 | cf1b7ffd22d6b17e2d547b72bab0a27c |
| SHA1 | f327fcb4b7b3a8f8fd72b743ca092a69bc261aa3 |
| SHA256 | 896c8f51b86ba3c48f32b2ec082f8f33f5293117cc6e845db1f3330732ba453c |
| SHA512 | 56b67aceb3ced258ae3a47b0542ab8c91e67499949a645f767df2085584d244a3bd73b87ad689468649dd632cbde28b6bee0b4e6cbff9803ab987b76385c5d89 |
C:\Users\Admin\AppData\Local\Temp\RES52A3.tmp
| MD5 | 4f48aeb2814094ef7de0847f9b5d197f |
| SHA1 | 12e4febe4df1ec35b3ca7358023e80bf8d1f97c6 |
| SHA256 | daca5aeec26ce765d872c1c9f50cc8f3a9a33275802b065c43f14a6e05e193e2 |
| SHA512 | 90f31b1b1b24f9770324725e1dd639f912e3814708580883c4ad76fc2dcc7e8e215ed90de7c3e337c8ef8926666fc55ea3f6edf03433973790168771ae6fa7fe |
C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe
| MD5 | e85b4ed02203209a07c84f9bb703afaa |
| SHA1 | 5995cae4b66b884164964be0f8259b2e5ca92372 |
| SHA256 | 08d758c60126bc983cc16e07eef2de6e5ab6524b54b0e613b324d50bda40896c |
| SHA512 | 8749ad36bff5a4cfde1f55afac1bece1b7f148f68455764c3f7801d470e4ad59579a1fa816ae076b8a523597479d223f29282a597967986782ef23a08799ff43 |
memory/1736-23-0x0000000074E00000-0x00000000753AB000-memory.dmp
memory/2556-24-0x0000000074E00000-0x00000000753AB000-memory.dmp
memory/2556-25-0x0000000000140000-0x0000000000180000-memory.dmp
memory/2556-26-0x0000000074E00000-0x00000000753AB000-memory.dmp
memory/2556-28-0x0000000000140000-0x0000000000180000-memory.dmp
memory/2556-29-0x0000000074E00000-0x00000000753AB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 05:59
Reported
2024-04-09 06:02
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sxgynasr.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BCE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB52C49FAD3124654A7F75E7F15C926B.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/1896-0-0x00000000751F0000-0x00000000757A1000-memory.dmp
memory/1896-1-0x00000000751F0000-0x00000000757A1000-memory.dmp
memory/1896-2-0x0000000001760000-0x0000000001770000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sxgynasr.cmdline
| MD5 | 778d7967d1e36d6b13d134d447c69bd7 |
| SHA1 | a71277c3b5c363c6e0be726d559a0f9ebcd735a7 |
| SHA256 | e6ca65e7045218a69ca7e16aa54dd7881ca365f0d1b5f2dc0706fd173c18580e |
| SHA512 | 38826844a9ebd2381956b7c14c36c75a85f7a81666c9bbabfef2faf6b55ce04b9d4c659d9b75ca1962604acafca20a4a28d207f4153810ed4d900f768d1de1b6 |
C:\Users\Admin\AppData\Local\Temp\sxgynasr.0.vb
| MD5 | 861d12b120aa4cb591956b8938840431 |
| SHA1 | 7d15185a1e3a91a3722a076455a556997e49b0d5 |
| SHA256 | fa15cafa8edac93cdea76bcb1f75ce0d56cd7b61d667cc2cb0b481fcc9cbc6c9 |
| SHA512 | c60b2294661c54c1957d67de49af11823714befee1ba318783d6bd096432bf07f93f1dcf1186d3ea2eeeaee3f7473f84c3428090b51280a3bcd19d43228fbeeb |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbcB52C49FAD3124654A7F75E7F15C926B.TMP
| MD5 | a91b0807d83c091996fb0cd7ccca883e |
| SHA1 | 5f643fb80ca7b979ac983a452ad7f21213ea3faa |
| SHA256 | 61935f6d471f5bae0f2c9e792425006d475e2b7cdb666c2995306f1049684c10 |
| SHA512 | a39702ea4693c337168ec4e4e57e35355dd6bfbda3b7c84a25a58d27bc632d23a3f54cb7949d375f6a3abbaf09df752f8c7239d423bf3051193131d9ef7d4dd8 |
C:\Users\Admin\AppData\Local\Temp\RES4BCE.tmp
| MD5 | e0f0195f4b1d60faac4748c2d9f97865 |
| SHA1 | 1eb5efa017c08b141ea7379226359921b73c0cd7 |
| SHA256 | 8a92b8232cb3c92b9d36956c72c17ccd263c4c6785ef95b28fa7291855d9fb88 |
| SHA512 | adbcd3342b4c34750f1d964944c89311faa18b42dcd964395a80953c13e7b3ca1451e1f51cdcaa6a9af51e916b5150f3b2c61f3a21801652af7bf25d2b21a1ca |
C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe
| MD5 | 43cde89534687077cc0433d3a3e63d5a |
| SHA1 | a6570e3fb47227e389985654c5a7f8c28ad0228d |
| SHA256 | 7250d5e83c47a27ec1da2ccd3443eaa68cdaa66884fcb11995faa168d7ae8a6c |
| SHA512 | 677b592dbbd527b6000f75cfb8f5d7cf6bb279be2a98e748971c281a4f19b4405a617a9249664f2b9dfcc5951b63db5425c24e26c7910278f2c23ecc858e65a9 |
memory/1896-20-0x00000000751F0000-0x00000000757A1000-memory.dmp
memory/3556-21-0x00000000751F0000-0x00000000757A1000-memory.dmp
memory/3556-22-0x0000000001760000-0x0000000001770000-memory.dmp
memory/3556-23-0x00000000751F0000-0x00000000757A1000-memory.dmp
memory/3556-25-0x0000000001760000-0x0000000001770000-memory.dmp
memory/3556-26-0x00000000751F0000-0x00000000757A1000-memory.dmp
memory/3556-27-0x0000000001760000-0x0000000001770000-memory.dmp