Malware Analysis Report

2024-11-16 13:10

Sample ID 240409-gp47jabf9t
Target e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118
SHA256 b67841f190d5eefa0af36bffcf65ac83f994479d912d50bc71ffa314d07236c9
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b67841f190d5eefa0af36bffcf65ac83f994479d912d50bc71ffa314d07236c9

Threat Level: Known bad

The file e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 05:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 05:59

Reported

2024-04-09 06:02

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1736 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2500 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2500 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2500 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2500 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1736 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe
PID 1736 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe
PID 1736 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe
PID 1736 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wfibnhjq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc52A2.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/1736-0-0x0000000074E00000-0x00000000753AB000-memory.dmp

memory/1736-1-0x0000000074E00000-0x00000000753AB000-memory.dmp

memory/1736-2-0x00000000020D0000-0x0000000002110000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wfibnhjq.cmdline

MD5 1e2e2495cbfad8c5caf0284e62b807a6
SHA1 66754dc40cddb902ac20db9aa1ca72eb17f5091f
SHA256 4b974eca9cdbf252adcc6d4016b48768ec50b2b341f6e035852aab0b5c4c04c4
SHA512 0062362ca77db03a4a2eedbe2454f927e1e8d494279628413c452d59f68254102693c6e3c6d5f0e4a344fff1ad5388639d537c041f8304a62661b05baa6151ed

memory/2500-8-0x0000000000550000-0x0000000000590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wfibnhjq.0.vb

MD5 ca270a13ada72102114acd3c22efcaa0
SHA1 f1151b41b034b879ccf497913b953f52b8ff3deb
SHA256 a65f97b37d2e361078db6bd33a4a2f6bd5f216ab56dded2d33bd612873903e3b
SHA512 0bffa8f5dd927f204f7f19e5f26bf854de7b795e49bd7cb8c970ac29c66b4fc606a0fe480b985cdea4c9d8a2a93a93334e26cf8e81c0df6629b017a80cdded07

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbc52A2.tmp

MD5 cf1b7ffd22d6b17e2d547b72bab0a27c
SHA1 f327fcb4b7b3a8f8fd72b743ca092a69bc261aa3
SHA256 896c8f51b86ba3c48f32b2ec082f8f33f5293117cc6e845db1f3330732ba453c
SHA512 56b67aceb3ced258ae3a47b0542ab8c91e67499949a645f767df2085584d244a3bd73b87ad689468649dd632cbde28b6bee0b4e6cbff9803ab987b76385c5d89

C:\Users\Admin\AppData\Local\Temp\RES52A3.tmp

MD5 4f48aeb2814094ef7de0847f9b5d197f
SHA1 12e4febe4df1ec35b3ca7358023e80bf8d1f97c6
SHA256 daca5aeec26ce765d872c1c9f50cc8f3a9a33275802b065c43f14a6e05e193e2
SHA512 90f31b1b1b24f9770324725e1dd639f912e3814708580883c4ad76fc2dcc7e8e215ed90de7c3e337c8ef8926666fc55ea3f6edf03433973790168771ae6fa7fe

C:\Users\Admin\AppData\Local\Temp\tmp50EE.tmp.exe

MD5 e85b4ed02203209a07c84f9bb703afaa
SHA1 5995cae4b66b884164964be0f8259b2e5ca92372
SHA256 08d758c60126bc983cc16e07eef2de6e5ab6524b54b0e613b324d50bda40896c
SHA512 8749ad36bff5a4cfde1f55afac1bece1b7f148f68455764c3f7801d470e4ad59579a1fa816ae076b8a523597479d223f29282a597967986782ef23a08799ff43

memory/1736-23-0x0000000074E00000-0x00000000753AB000-memory.dmp

memory/2556-24-0x0000000074E00000-0x00000000753AB000-memory.dmp

memory/2556-25-0x0000000000140000-0x0000000000180000-memory.dmp

memory/2556-26-0x0000000074E00000-0x00000000753AB000-memory.dmp

memory/2556-28-0x0000000000140000-0x0000000000180000-memory.dmp

memory/2556-29-0x0000000074E00000-0x00000000753AB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 05:59

Reported

2024-04-09 06:02

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1896 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1896 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1896 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 504 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 504 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 504 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1896 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe
PID 1896 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe
PID 1896 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sxgynasr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BCE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB52C49FAD3124654A7F75E7F15C926B.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e962fd27a0e66830e2f6697e3c263cb1_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/1896-0-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/1896-1-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/1896-2-0x0000000001760000-0x0000000001770000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sxgynasr.cmdline

MD5 778d7967d1e36d6b13d134d447c69bd7
SHA1 a71277c3b5c363c6e0be726d559a0f9ebcd735a7
SHA256 e6ca65e7045218a69ca7e16aa54dd7881ca365f0d1b5f2dc0706fd173c18580e
SHA512 38826844a9ebd2381956b7c14c36c75a85f7a81666c9bbabfef2faf6b55ce04b9d4c659d9b75ca1962604acafca20a4a28d207f4153810ed4d900f768d1de1b6

C:\Users\Admin\AppData\Local\Temp\sxgynasr.0.vb

MD5 861d12b120aa4cb591956b8938840431
SHA1 7d15185a1e3a91a3722a076455a556997e49b0d5
SHA256 fa15cafa8edac93cdea76bcb1f75ce0d56cd7b61d667cc2cb0b481fcc9cbc6c9
SHA512 c60b2294661c54c1957d67de49af11823714befee1ba318783d6bd096432bf07f93f1dcf1186d3ea2eeeaee3f7473f84c3428090b51280a3bcd19d43228fbeeb

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbcB52C49FAD3124654A7F75E7F15C926B.TMP

MD5 a91b0807d83c091996fb0cd7ccca883e
SHA1 5f643fb80ca7b979ac983a452ad7f21213ea3faa
SHA256 61935f6d471f5bae0f2c9e792425006d475e2b7cdb666c2995306f1049684c10
SHA512 a39702ea4693c337168ec4e4e57e35355dd6bfbda3b7c84a25a58d27bc632d23a3f54cb7949d375f6a3abbaf09df752f8c7239d423bf3051193131d9ef7d4dd8

C:\Users\Admin\AppData\Local\Temp\RES4BCE.tmp

MD5 e0f0195f4b1d60faac4748c2d9f97865
SHA1 1eb5efa017c08b141ea7379226359921b73c0cd7
SHA256 8a92b8232cb3c92b9d36956c72c17ccd263c4c6785ef95b28fa7291855d9fb88
SHA512 adbcd3342b4c34750f1d964944c89311faa18b42dcd964395a80953c13e7b3ca1451e1f51cdcaa6a9af51e916b5150f3b2c61f3a21801652af7bf25d2b21a1ca

C:\Users\Admin\AppData\Local\Temp\tmp4A96.tmp.exe

MD5 43cde89534687077cc0433d3a3e63d5a
SHA1 a6570e3fb47227e389985654c5a7f8c28ad0228d
SHA256 7250d5e83c47a27ec1da2ccd3443eaa68cdaa66884fcb11995faa168d7ae8a6c
SHA512 677b592dbbd527b6000f75cfb8f5d7cf6bb279be2a98e748971c281a4f19b4405a617a9249664f2b9dfcc5951b63db5425c24e26c7910278f2c23ecc858e65a9

memory/1896-20-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/3556-21-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/3556-22-0x0000000001760000-0x0000000001770000-memory.dmp

memory/3556-23-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/3556-25-0x0000000001760000-0x0000000001770000-memory.dmp

memory/3556-26-0x00000000751F0000-0x00000000757A1000-memory.dmp

memory/3556-27-0x0000000001760000-0x0000000001770000-memory.dmp