Malware Analysis Report

2024-11-16 13:11

Sample ID 240410-jwprjagh67
Target ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118
SHA256 6013b8df312752922c449e0977753efceca566b1030f9904663cb7220f10f4ae
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6013b8df312752922c449e0977753efceca566b1030f9904663cb7220f10f4ae

Threat Level: Known bad

The file ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Uses the VBS compiler for execution

Checks computer location settings

Loads dropped DLL

Deletes itself

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 08:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 08:01

Reported

2024-04-10 08:03

Platform

win7-20231129-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1044 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1940 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1940 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1940 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1044 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe
PID 1044 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe
PID 1044 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe
PID 1044 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v1t2fn34.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc13EE.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/1044-0-0x00000000741F0000-0x000000007479B000-memory.dmp

memory/1044-1-0x00000000741F0000-0x000000007479B000-memory.dmp

memory/1044-2-0x00000000020E0000-0x0000000002120000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v1t2fn34.cmdline

MD5 eac08cbf1ff4baa46aa0e1a5815a67ad
SHA1 f5f98392fcbe4a6b3d874a6204c3263f2418a72a
SHA256 6506446e8f050a518077e11efa24a2b027afe14b7b9d6c8ccd8085be6713f80f
SHA512 89f741715771b6965bbbcb544301be07850ddb93a3a2bc266ac1288bd63335a5e4e32b589f4e843551fca4e88f347df646e9816c66489af14df88f4dcf3b5107

memory/1940-8-0x0000000000260000-0x00000000002A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v1t2fn34.0.vb

MD5 081305bf4326fb1ddd395521dbfc1ade
SHA1 15ee214b5db33780ddc994c0bff939d4605ae29d
SHA256 00a56cad086f6f1bd2b0cc028c5ba203da333dd1ce1c167bcf6ee33a62570233
SHA512 5c27ff768a92b9e3b9b94c8be2cd88ea6109542f8ccd7de766cef1cdd9904eb2e65b8c079af11e437a4c2a5f4b238b9c562ae598021897fdfd24806dce9f0abf

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbc13EE.tmp

MD5 053440d7eca44b1db720d04eea8c58f6
SHA1 5695633a446cc88d1fe831e1b862b60b449748e3
SHA256 702c0bceaeb177838fba6d87b9a690e5a3b334a5b4ed43f22b66e52b9a187723
SHA512 2629734be229218e4c6a406036607d28d444245f49247dd5682db87080321e47cbbec7ea43182ad8eec1ba6e90f4e642a039e71f85d78a115fef70f9174615b8

C:\Users\Admin\AppData\Local\Temp\RES13EF.tmp

MD5 7b1cb232e0535aa4c3a9721198d946b2
SHA1 5393172270f0c8fd04bdcf484e9d67e6a3f65c26
SHA256 442229d6bffb75626d31cb72854e3d9dc316661360ad32d7333b8449acafc94e
SHA512 107bb9f6a54ac571484a06e0448610d3eb8d00ca66418ae2d2f776e86510a6312ecfd69959941c2f42875e624344dfc62181b1a13f4c351332998d54af22a912

C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.exe

MD5 a205e60e5bcce0640588e5a9c2ee93d5
SHA1 bbfa71267924b6f3aa95e0b2e1d3c5af14d2de1d
SHA256 d9028af6b526b9a7713cf8190ec503028d40fe3727bbf2676618ccb04b34815c
SHA512 04f966fe4591971ad73feec428b6a76c384fa53b79b4cfa3997adf536064c9a2399b85a76add1b04a25bdd20cfa33a71f3c23302def56f432ca46a56525db023

memory/1044-22-0x00000000741F0000-0x000000007479B000-memory.dmp

memory/2060-24-0x00000000741F0000-0x000000007479B000-memory.dmp

memory/2060-25-0x0000000000070000-0x00000000000B0000-memory.dmp

memory/2060-26-0x00000000741F0000-0x000000007479B000-memory.dmp

memory/2060-28-0x0000000000070000-0x00000000000B0000-memory.dmp

memory/2060-29-0x00000000741F0000-0x000000007479B000-memory.dmp

memory/2060-30-0x0000000000070000-0x00000000000B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 08:01

Reported

2024-04-10 08:03

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4584 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4584 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4584 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2804 wrote to memory of 852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2804 wrote to memory of 852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2804 wrote to memory of 852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4584 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.exe
PID 4584 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.exe
PID 4584 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9bhzyozn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D26.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98B54ED31A9F4458A86D49B54991695B.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ea9bd0e0af93469d88b0be36fd78a2db_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/4584-0-0x0000000074B10000-0x00000000750C1000-memory.dmp

memory/4584-1-0x0000000001650000-0x0000000001660000-memory.dmp

memory/4584-2-0x0000000074B10000-0x00000000750C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9bhzyozn.cmdline

MD5 5a9d87bf81ab23cd6d6cd8eacd0a7561
SHA1 664b2db300c88b40c233f6d9eb0591468bce37df
SHA256 dc30d5b071788fe92d20e869d340ca9284b56e8b22fa25e3fd747dceeedb478e
SHA512 d5ddca6379bf638629f853c2609c63addec8789b4dfa28f93cca11d6983c221b1592be14f4ac85d5c700434a5beb77eb018560bff7fff37679e52f0bb916d2c2

C:\Users\Admin\AppData\Local\Temp\9bhzyozn.0.vb

MD5 924c1a9c88e77a5f7a92d0a821e3e1a8
SHA1 311737ca2f0c563e3b375896fe9a3f27485035de
SHA256 71eef00e9c529ec90558c1e697d263a303a4c5808ae51233df683e6d5c0f80b6
SHA512 852b28771170f8dad65511d03dfc1e8bbfc7d6daf153bd2af6b891fd0e0d341e2c539d58ee34e16eff853e8ab204b706344c282eb4737e5f260f30914c41bb06

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbc98B54ED31A9F4458A86D49B54991695B.TMP

MD5 9c2ebd7264ebd47c3e91d3e155fb37b0
SHA1 fcca16aa6214ce39739ce3d00eabd43988c3fd8d
SHA256 4fa60a66051cb3ac219b76493fef3015235b2be11ab16a05a839260bbc01bb1f
SHA512 32fc28a167391208dbf5ac773694b704cbc03cf24fc163ddc97758f60ae3a5df80868e6a7e3e6bd3b1ad1b0736bd34161fe2cf56ea1054d2face3b720f92ae76

C:\Users\Admin\AppData\Local\Temp\RES4D26.tmp

MD5 a259506cb1633f2d0078f0e1034b968b
SHA1 30b49cdbb47c340c468d90b5554ec9e2440a4119
SHA256 e20aaeef98771b6c5b0bc3fd216373493a6331a66b323df54de72ef69de27e45
SHA512 bd88994a8b09aaebec694020d9d2483a1f144706bc934901ef9021b31a6f30e55f5e5837b8242fb689114c8b04d1e3d03dd1b1e9e4207a9b223a7ba142c0aea1

C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp.exe

MD5 3ea4350ca67bcb179a503185ba44db3b
SHA1 480beb9df65a589d61e58edd1a90d6bf99b5bde7
SHA256 d96588e9e38aa1da94cf09d11886412b354e61c94df69d441751ca421a1e3e89
SHA512 207f556222b23876049f7a00a6d8a0c60fc00cbb2a73d3e1dc35856791345c64c455cb9022b8e181d64280eb67bfb430f3251eaa32d77780ff580d5b8b4da5eb

memory/3616-21-0x0000000074B10000-0x00000000750C1000-memory.dmp

memory/4584-20-0x0000000074B10000-0x00000000750C1000-memory.dmp

memory/3616-22-0x0000000074B10000-0x00000000750C1000-memory.dmp

memory/3616-24-0x00000000012A0000-0x00000000012B0000-memory.dmp

memory/3616-25-0x0000000074B10000-0x00000000750C1000-memory.dmp

memory/3616-26-0x00000000012A0000-0x00000000012B0000-memory.dmp