Malware Analysis Report

2024-11-16 13:10

Sample ID 240410-qeptjagg75
Target eb24d7680fdb1b173363177482064b5c_JaffaCakes118
SHA256 5a47d09740e522442aabc10feac3bff2c724320ea6c648467201fa7356a16154
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a47d09740e522442aabc10feac3bff2c724320ea6c648467201fa7356a16154

Threat Level: Known bad

The file eb24d7680fdb1b173363177482064b5c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Deletes itself

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 13:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 13:10

Reported

2024-04-10 13:13

Platform

win7-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3024 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3024 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3024 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2252 wrote to memory of 1676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2252 wrote to memory of 1676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2252 wrote to memory of 1676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2252 wrote to memory of 1676 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3024 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe
PID 3024 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe
PID 3024 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe
PID 3024 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\da28qp1u.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4599.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4588.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/3024-0-0x0000000074D10000-0x00000000752BB000-memory.dmp

memory/3024-1-0x0000000074D10000-0x00000000752BB000-memory.dmp

memory/3024-2-0x00000000009A0000-0x00000000009E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\da28qp1u.cmdline

MD5 896515befc7c73855bcdb1b13adecb8c
SHA1 99388d5fe2145836ca04618d4bacfdd7a39320c3
SHA256 5162a98df4b0a29da5d921c2ef4e2feb2937132f552a8a529bf368ac050a0b55
SHA512 6ac16a818d281174cc90aa8da9084e514b476d4fb5142996374f5615e61a92f59039e6a0e171097a11a6723f294987de6194c412d3372f6c614a4246bb66b61a

memory/2252-8-0x00000000003A0000-0x00000000003E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\da28qp1u.0.vb

MD5 5b40c37cfb51ebb1a08c18113e5ac7ce
SHA1 78a88a25b72642ba90a612660c6818fbb8b67e0f
SHA256 c9ba6739eba99dd79671917fc8b1e14da73d7ae940331f364e07a9a82e24b4f0
SHA512 29a87059377e7fffb98f95f9798c7bab6c82962ab38bf0ce25e4e7e5f6b146ccf44ee7b475befcaf1daba568c19255dfbd4bcd15b41080ad075ae5152ad309ff

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbc4588.tmp

MD5 9e0ad11c9bb3c891380fdab6ce486db6
SHA1 2e205b252f25dc0abfb7ee1ea565dfdba4a447ca
SHA256 c538c431d945497f46fd4261fef40dc205496637ba2aa6aae5176119e58d2717
SHA512 57eb563e52d1732235d3f15ffc25345738c4f30a5d63b9db643a70fde495750f6a711c0e1936d6c4c89a0169d27bc3e701a13525d6ee525da6824f3b265817b5

C:\Users\Admin\AppData\Local\Temp\RES4599.tmp

MD5 ddb964330eabe0a1f47759c65639e9dc
SHA1 8444c3b17182055c9a99a0f3a47408b778cf7517
SHA256 e6c0b8a30554b59793a020860ad2bae08e8da652a3468550612d7e68c30c99cc
SHA512 ac8a019365d59449299cf259d84460af453f71ae1d099a812917106c9d3cd07aef3602b0017f37b7a9e103e7ec89c3617dac063d067499ec20a57f5e54aa19be

C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp.exe

MD5 2d490ea21a9821ddd828a6b203e2ab58
SHA1 d94a9e7d7db7123672c50f8a7476204d536107e5
SHA256 91bdddb69a03f70a91bc4c6c2ee657dccea152e21d23ad31d7539227218d2524
SHA512 ddb4467e45de9246f0b5ea2c9eb5e184c3334a2305af4dd0a19a48b94e27fffa0f4911db9acbe2b5d2b3a1a046468bf8d3df89227379e7874eb1c2eba5b4351c

memory/3024-23-0x0000000074D10000-0x00000000752BB000-memory.dmp

memory/2644-24-0x0000000074D10000-0x00000000752BB000-memory.dmp

memory/2644-25-0x0000000001E50000-0x0000000001E90000-memory.dmp

memory/2644-26-0x0000000074D10000-0x00000000752BB000-memory.dmp

memory/2644-28-0x0000000001E50000-0x0000000001E90000-memory.dmp

memory/2644-29-0x0000000074D10000-0x00000000752BB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 13:10

Reported

2024-04-10 13:13

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4756 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4756 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4756 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1368 wrote to memory of 1532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1368 wrote to memory of 1532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1368 wrote to memory of 1532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4756 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe
PID 4756 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe
PID 4756 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mzitjs0p.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8760.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50E2258866E54145AE6B45A715A9471A.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eb24d7680fdb1b173363177482064b5c_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/4756-0-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/4756-1-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/4756-2-0x0000000000D30000-0x0000000000D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mzitjs0p.cmdline

MD5 79bca7cbc155deebbc99b5a9637b2e96
SHA1 b92a664d5371d596ee893a09cec580b2dd06b923
SHA256 0233e01021c81954dd2e65997f1ac4c4d69eac696be8d3306ca17abcf6900c6d
SHA512 84da4b6d4dd52434d8eb2c814cfc0e2fbe67452539a5ec6de0991e0fc364ca6d64669281f92a41ef9bbee12a7bfd4f2b2cb7c508464a4968fee132062c2c3644

memory/1368-8-0x00000000022F0000-0x0000000002300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mzitjs0p.0.vb

MD5 7543e813a7444dcd7783329e91021d82
SHA1 be077e6ea465bdf75f5dd65ea118ddf31fffdc57
SHA256 82bb0e2a0b88d000601082c1aa2776cc5bf183207fd5c1b94c55cd064ccaac5f
SHA512 f5d7f9f14f1c7729f9fa2a8a56be2953ec0e2aa4ef5a3d936645f4fa6fcc832eae7f825d0305061946eb55561c479c386dff548a754d9ff7ebddad343ee81981

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbc50E2258866E54145AE6B45A715A9471A.TMP

MD5 f8560a2b0f15fa991b1db9a6b05107cc
SHA1 539c9a1fc4cfa9b20b486103cf00e8cd030f4207
SHA256 bbaedd7a1ae71d1317bf34c898225043288332f25d418d2f071dc983b40fdd60
SHA512 2f0f3306e387088b831f9ebcc4ab9bfe583515d87442dba338da6948462c5047f17e3dfda2148e5fa5ed80bfc4df0493b1e94d15ec4af81a1b6643139bc0ae2e

C:\Users\Admin\AppData\Local\Temp\RES8760.tmp

MD5 6df90ff56aeeb1b05c5c5ac6f1874fc1
SHA1 9c14ea1f9778e583ab9be2ad5d3acfd3d02a85d7
SHA256 7a22d58d4303a179efd5397a3908d8584c6e1f5fba8d5f94c1682431fe14df24
SHA512 ce7781b8fc22c8c3272c4e244911265e8c49caf39d610755d90a8bbbb445b98da86b0e16d49f2bf7f03b2f28029de283347e003f02061fb808995d684797a027

C:\Users\Admin\AppData\Local\Temp\tmp8637.tmp.exe

MD5 a32172b046fd45804cc66e610d19d788
SHA1 a5c2bde7920d55c5a6b45014b2a3cec0ef0ee65e
SHA256 92623416dd1d6f617730f34204c595b43608b9c327a520ef1137f06043021544
SHA512 16f60dde3c5cca44cf5a4098e22c06ac7f65524d62520f470f9e4bb4a12ee24c5abf1dea9815811a3710d0ee8e5964030b1a05c49f132afacd1c7b05a6e943b7

memory/4756-21-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/860-22-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/860-23-0x0000000000DF0000-0x0000000000E00000-memory.dmp

memory/860-24-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/860-26-0x0000000000DF0000-0x0000000000E00000-memory.dmp

memory/860-27-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/860-28-0x0000000000DF0000-0x0000000000E00000-memory.dmp

memory/860-29-0x0000000000DF0000-0x0000000000E00000-memory.dmp