Analysis Overview
SHA256
6013b8df312752922c449e0977753efceca566b1030f9904663cb7220f10f4ae
Threat Level: Known bad
The file ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Uses the VBS compiler for execution
Checks computer location settings
Loads dropped DLL
Deletes itself
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 08:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 08:01
Reported
2024-04-10 08:03
Platform
win7-20231129-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v1t2fn34.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc13EE.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/1044-0-0x00000000741F0000-0x000000007479B000-memory.dmp
memory/1044-1-0x00000000741F0000-0x000000007479B000-memory.dmp
memory/1044-2-0x00000000020E0000-0x0000000002120000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\v1t2fn34.cmdline
| MD5 | eac08cbf1ff4baa46aa0e1a5815a67ad |
| SHA1 | f5f98392fcbe4a6b3d874a6204c3263f2418a72a |
| SHA256 | 6506446e8f050a518077e11efa24a2b027afe14b7b9d6c8ccd8085be6713f80f |
| SHA512 | 89f741715771b6965bbbcb544301be07850ddb93a3a2bc266ac1288bd63335a5e4e32b589f4e843551fca4e88f347df646e9816c66489af14df88f4dcf3b5107 |
memory/1940-8-0x0000000000260000-0x00000000002A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\v1t2fn34.0.vb
| MD5 | 081305bf4326fb1ddd395521dbfc1ade |
| SHA1 | 15ee214b5db33780ddc994c0bff939d4605ae29d |
| SHA256 | 00a56cad086f6f1bd2b0cc028c5ba203da333dd1ce1c167bcf6ee33a62570233 |
| SHA512 | 5c27ff768a92b9e3b9b94c8be2cd88ea6109542f8ccd7de766cef1cdd9904eb2e65b8c079af11e437a4c2a5f4b238b9c562ae598021897fdfd24806dce9f0abf |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbc13EE.tmp
| MD5 | 053440d7eca44b1db720d04eea8c58f6 |
| SHA1 | 5695633a446cc88d1fe831e1b862b60b449748e3 |
| SHA256 | 702c0bceaeb177838fba6d87b9a690e5a3b334a5b4ed43f22b66e52b9a187723 |
| SHA512 | 2629734be229218e4c6a406036607d28d444245f49247dd5682db87080321e47cbbec7ea43182ad8eec1ba6e90f4e642a039e71f85d78a115fef70f9174615b8 |
C:\Users\Admin\AppData\Local\Temp\RES13EF.tmp
| MD5 | 7b1cb232e0535aa4c3a9721198d946b2 |
| SHA1 | 5393172270f0c8fd04bdcf484e9d67e6a3f65c26 |
| SHA256 | 442229d6bffb75626d31cb72854e3d9dc316661360ad32d7333b8449acafc94e |
| SHA512 | 107bb9f6a54ac571484a06e0448610d3eb8d00ca66418ae2d2f776e86510a6312ecfd69959941c2f42875e624344dfc62181b1a13f4c351332998d54af22a912 |
C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe
| MD5 | a205e60e5bcce0640588e5a9c2ee93d5 |
| SHA1 | bbfa71267924b6f3aa95e0b2e1d3c5af14d2de1d |
| SHA256 | d9028af6b526b9a7713cf8190ec503028d40fe3727bbf2676618ccb04b34815c |
| SHA512 | 04f966fe4591971ad73feec428b6a76c384fa53b79b4cfa3997adf536064c9a2399b85a76add1b04a25bdd20cfa33a71f3c23302def56f432ca46a56525db023 |
memory/1044-22-0x00000000741F0000-0x000000007479B000-memory.dmp
memory/2060-24-0x00000000741F0000-0x000000007479B000-memory.dmp
memory/2060-25-0x0000000000070000-0x00000000000B0000-memory.dmp
memory/2060-26-0x00000000741F0000-0x000000007479B000-memory.dmp
memory/2060-28-0x0000000000070000-0x00000000000B0000-memory.dmp
memory/2060-29-0x00000000741F0000-0x000000007479B000-memory.dmp
memory/2060-30-0x0000000000070000-0x00000000000B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 08:01
Reported
2024-04-10 08:03
Platform
win10v2004-20231215-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9bhzyozn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D26.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98B54ED31A9F4458A86D49B54991695B.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp | |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| N/A | 127.0.0.1:127 | tcp |
Files
memory/4584-0-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/4584-1-0x0000000001650000-0x0000000001660000-memory.dmp
memory/4584-2-0x0000000074B10000-0x00000000750C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9bhzyozn.cmdline
| MD5 | 5a9d87bf81ab23cd6d6cd8eacd0a7561 |
| SHA1 | 664b2db300c88b40c233f6d9eb0591468bce37df |
| SHA256 | dc30d5b071788fe92d20e869d340ca9284b56e8b22fa25e3fd747dceeedb478e |
| SHA512 | d5ddca6379bf638629f853c2609c63addec8789b4dfa28f93cca11d6983c221b1592be14f4ac85d5c700434a5beb77eb018560bff7fff37679e52f0bb916d2c2 |
C:\Users\Admin\AppData\Local\Temp\9bhzyozn.0.vb
| MD5 | 924c1a9c88e77a5f7a92d0a821e3e1a8 |
| SHA1 | 311737ca2f0c563e3b375896fe9a3f27485035de |
| SHA256 | 71eef00e9c529ec90558c1e697d263a303a4c5808ae51233df683e6d5c0f80b6 |
| SHA512 | 852b28771170f8dad65511d03dfc1e8bbfc7d6daf153bd2af6b891fd0e0d341e2c539d58ee34e16eff853e8ab204b706344c282eb4737e5f260f30914c41bb06 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 4f0e8cf79edb6cd381474b21cabfdf4a |
| SHA1 | 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4 |
| SHA256 | e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5 |
| SHA512 | 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107 |
C:\Users\Admin\AppData\Local\Temp\vbc98B54ED31A9F4458A86D49B54991695B.TMP
| MD5 | 9c2ebd7264ebd47c3e91d3e155fb37b0 |
| SHA1 | fcca16aa6214ce39739ce3d00eabd43988c3fd8d |
| SHA256 | 4fa60a66051cb3ac219b76493fef3015235b2be11ab16a05a839260bbc01bb1f |
| SHA512 | 32fc28a167391208dbf5ac773694b704cbc03cf24fc163ddc97758f60ae3a5df80868e6a7e3e6bd3b1ad1b0736bd34161fe2cf56ea1054d2face3b720f92ae76 |
C:\Users\Admin\AppData\Local\Temp\RES4D26.tmp
| MD5 | a259506cb1633f2d0078f0e1034b968b |
| SHA1 | 30b49cdbb47c340c468d90b5554ec9e2440a4119 |
| SHA256 | e20aaeef98771b6c5b0bc3fd216373493a6331a66b323df54de72ef69de27e45 |
| SHA512 | bd88994a8b09aaebec694020d9d2483a1f144706bc934901ef9021b31a6f30e55f5e5837b8242fb689114c8b04d1e3d03dd1b1e9e4207a9b223a7ba142c0aea1 |
C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.exe
| MD5 | 3ea4350ca67bcb179a503185ba44db3b |
| SHA1 | 480beb9df65a589d61e58edd1a90d6bf99b5bde7 |
| SHA256 | d96588e9e38aa1da94cf09d11886412b354e61c94df69d441751ca421a1e3e89 |
| SHA512 | 207f556222b23876049f7a00a6d8a0c60fc00cbb2a73d3e1dc35856791345c64c455cb9022b8e181d64280eb67bfb430f3251eaa32d77780ff580d5b8b4da5eb |
memory/3616-21-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/4584-20-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/3616-22-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/3616-24-0x00000000012A0000-0x00000000012B0000-memory.dmp
memory/3616-25-0x0000000074B10000-0x00000000750C1000-memory.dmp
memory/3616-26-0x00000000012A0000-0x00000000012B0000-memory.dmp