Malware Analysis Report

2024-11-16 13:11

Sample ID 240410-1fyg6sca95
Target ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118
SHA256 0e827590379d5651f1e81767b06da5a82a1366a04867acdb41f83dd5394e1bb6
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e827590379d5651f1e81767b06da5a82a1366a04867acdb41f83dd5394e1bb6

Threat Level: Known bad

The file ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Uses the VBS compiler for execution

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 21:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 21:36

Reported

2024-04-10 21:38

Platform

win7-20240319-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2512 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2512 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2512 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1752 wrote to memory of 1764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1752 wrote to memory of 1764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1752 wrote to memory of 1764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1752 wrote to memory of 1764 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2512 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe
PID 2512 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe
PID 2512 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe
PID 2512 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lpuixvrk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4136.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4135.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/2512-0-0x0000000074590000-0x0000000074B3B000-memory.dmp

memory/2512-1-0x0000000074590000-0x0000000074B3B000-memory.dmp

memory/2512-2-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lpuixvrk.cmdline

MD5 3d46fec11f51e7133e8bf6f12baa9fdd
SHA1 1a5aca97c32323156bd300ab3f06c8c4d56f2d8d
SHA256 e5fc6203afdb3a5c2f2b6618b3822724c412f1b873d79757d99c81298f02f902
SHA512 f73a517ea9f50f0399c1141eea1647d83232a123bc3152cf568db4dfe1ce1f26a0d8380d0627bec67749d51dde8189eac33f85eadbd023e5840de5f2e5fd0dae

C:\Users\Admin\AppData\Local\Temp\lpuixvrk.0.vb

MD5 02b6a3f981adfa04d42c0e234ea2d4d2
SHA1 6bae686efac8b8dbe6e48d36a3e9b0a45cae6e11
SHA256 d1fb5eb2b7257809973188ea1125d90ea27ea2da9ab238197e95cd6f1f195092
SHA512 166066712f8b2006dfcac3347afd7884032e9fd2057646a037e3a717b89b5b5f32d2eb9a7d59389ece303e9c5e0850dda7686cda9c4d0677a627690a9e7f4577

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbc4135.tmp

MD5 96885a8c6708bd82185914f206acec48
SHA1 abd9d523a36480d378e7a5f63330898240f81197
SHA256 b7fe408f8ae306d3fc8be53da3cbd8a6310c72c41eca2d890e376092bea91685
SHA512 c503ef6d5f679a8eed6c4e814fbb09010f08c64e77952c164ca735f8fb71a137c6e8878471407f84bffa6d5af73b1a97d83075ada34d8249cfe25ed312eaba6f

C:\Users\Admin\AppData\Local\Temp\RES4136.tmp

MD5 7a2cdb54da3a6f48858d09ec26843dcd
SHA1 5a9326d85bbbc03074676cb99272269670a5ab63
SHA256 69067afe68f8cc50f1cb2bd36dfa8ebe435e2db0044a902c5651f3fab761a42b
SHA512 1548e90db09cfdda663896fbc64784206a9ca3e0a7cd54be8f8763e361d45dd17abe26de64a5b0815f5097c1dd6584866d7b089e1d7f6bdea8c3f1c9f7b6141c

C:\Users\Admin\AppData\Local\Temp\tmp3F9F.tmp.exe

MD5 8d7ca5545bbf7e28854de8702430dce7
SHA1 85c93ce0b57731a5ca50e97666977c35d78fc46b
SHA256 48323cd633deb871659553f77d7003b2e1ccbbee1ff232316892e9d1c4ea6ce5
SHA512 f95d698dfcc309be666b38e33d3286af982bda36284b061d4bb3bd113cfb290b433cf60852ba6b71819e6f054486a62b3fa9772c7bf94242cb095032d48e7ae0

memory/2512-22-0x0000000074590000-0x0000000074B3B000-memory.dmp

memory/2564-23-0x0000000074590000-0x0000000074B3B000-memory.dmp

memory/2564-24-0x0000000002110000-0x0000000002150000-memory.dmp

memory/2564-25-0x0000000074590000-0x0000000074B3B000-memory.dmp

memory/2564-27-0x0000000002110000-0x0000000002150000-memory.dmp

memory/2564-28-0x0000000002110000-0x0000000002150000-memory.dmp

memory/2564-29-0x0000000074590000-0x0000000074B3B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 21:36

Reported

2024-04-10 21:38

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp544A.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp544A.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp544A.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1180 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1180 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2916 wrote to memory of 2200 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2916 wrote to memory of 2200 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2916 wrote to memory of 2200 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1180 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp544A.tmp.exe
PID 1180 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp544A.tmp.exe
PID 1180 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp544A.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uhylnsmg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5544.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBEC5197BC8A40379ABCFF6291D368.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp544A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp544A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ec0ada03c0f847cf20f92d5e7db54193_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 219.203.100.95.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/1180-0-0x0000000075130000-0x00000000756E1000-memory.dmp

memory/1180-1-0x0000000075130000-0x00000000756E1000-memory.dmp

memory/1180-2-0x0000000000780000-0x0000000000790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uhylnsmg.cmdline

MD5 fcdb1c81906e6ff3778d1491bed76dbe
SHA1 4b27337a342138a54f6d3f4c7d6c2f94a664d8cd
SHA256 b85d633e9bcaacf31ce742160d8be05361852f837a36af6eae272626b85c32ce
SHA512 2e492c1de05de5492e73584e14a79d3d3b9414494851a242fba0eae3c5ae057fc30e82a7f593410ea23f11572e0f33a555b8eecd7126a3f72422a2d03b91bb2c

C:\Users\Admin\AppData\Local\Temp\uhylnsmg.0.vb

MD5 f2eaf2a098f8f5331460e0596611b541
SHA1 9326d346ee1c09b2035da2ee4e92beb32751b814
SHA256 96b78815bb2abfaee0a85104e6d9382518eef941be287c8ff18c744da5f6cae4
SHA512 6c31e063a2d46381b31948ea21201d6f19170879597709dde8579e2a01032668425f2b38fe5dbb286ed760ed965a85f1dead415d9399529ffa409653cb36032f

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbcEBEC5197BC8A40379ABCFF6291D368.TMP

MD5 ca7ba9fbbdb00ae617871857be0a6fce
SHA1 b454481ba4617d1e25e04a81353efd0e12f602bf
SHA256 94056f6a0854a460d5b29948f8655a5e9b861cda5d969f537b50e51c2ab4c4e5
SHA512 e95df6931084563405740ac654d65781d51dfe4c532420adc590c866c69d5ddca8ab389d7464f2c97f3f2deda3a89bd61f36a9c24b5b4a882da389968bfd415c

C:\Users\Admin\AppData\Local\Temp\RES5544.tmp

MD5 8ec0e654c8fdb20a77e800196e0c763a
SHA1 fc514d611ad2e793117307c20319e87f5ed8cd05
SHA256 9930c7472d12cd74ee4d8cb1f1c294f366398f7a343ae49743cf481f57edb5b2
SHA512 24aed4a04871e2aeaf94a227c30d6f3be39c82444b95002cae9163b4db56f5a13ea560221ac53fae32705cedb1dda48e0ffd3663f15626b2b60c164232ae3bf3

C:\Users\Admin\AppData\Local\Temp\tmp544A.tmp.exe

MD5 2e0cd864fb2ff3d6622e013f0c701cc6
SHA1 feb7afd45bf23731157ee23da6d51561a6509ee1
SHA256 e33b70ca86d9160ef4d15cca07968151b9a8bd94756aee80ce681f212b603911
SHA512 837643900c4ace4dd795caf5739af41794297e6623037565bff010d8f3f33bcd359bd53c55a4e5cf9fbfbc553f912bdf718d190197f26ec033283fa84d5ea387

memory/1048-21-0x0000000075130000-0x00000000756E1000-memory.dmp

memory/1180-20-0x0000000075130000-0x00000000756E1000-memory.dmp

memory/1048-22-0x00000000016D0000-0x00000000016E0000-memory.dmp

memory/1048-23-0x0000000075130000-0x00000000756E1000-memory.dmp

memory/1048-25-0x00000000016D0000-0x00000000016E0000-memory.dmp

memory/1048-26-0x0000000075130000-0x00000000756E1000-memory.dmp

memory/1048-27-0x00000000016D0000-0x00000000016E0000-memory.dmp

memory/1048-28-0x00000000016D0000-0x00000000016E0000-memory.dmp