Malware Analysis Report

2024-11-16 13:11

Sample ID 240411-b3ssrsgh59
Target ec6928530f59c9665688835cc5756c1a_JaffaCakes118
SHA256 2dd6866d0f01e4edc66e827b7b010aa29300c220779722ffdbedd2eb3a64400c
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2dd6866d0f01e4edc66e827b7b010aa29300c220779722ffdbedd2eb3a64400c

Threat Level: Known bad

The file ec6928530f59c9665688835cc5756c1a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 01:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 01:40

Reported

2024-04-11 01:43

Platform

win7-20240319-en

Max time kernel

155s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1968 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 1920 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2752 wrote to memory of 1920 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2752 wrote to memory of 1920 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2752 wrote to memory of 1920 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1968 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe
PID 1968 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe
PID 1968 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe
PID 1968 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l5xonoua.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7734.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7723.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/1968-0-0x00000000741E0000-0x000000007478B000-memory.dmp

memory/1968-1-0x00000000741E0000-0x000000007478B000-memory.dmp

memory/1968-2-0x0000000002370000-0x00000000023B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\l5xonoua.cmdline

MD5 300125018862e2e92369bd6cca8e3d3a
SHA1 abdfeeb537ff4549b875cc753797beecd3359f8c
SHA256 41d0a297bce0f06472f7605224a742487f3d0db2e1af1d00502a8868650338a1
SHA512 f6e6fb50e696341636c37902bafcdf81a75b0a9dca51ea17701028c163dc2d13357babb827003b9510aafab884508ec4b530779682bcb921a183acc244b83d2c

C:\Users\Admin\AppData\Local\Temp\l5xonoua.0.vb

MD5 66cf0f6310e8d1db93691e6780d442dd
SHA1 d71b73a5392258d6b436e788943a4416adbc5692
SHA256 f58be8de86a95935a809dc47a2cc172d6be4e9c30b0f8b69c2757a5ed51ded51
SHA512 4eb80b702127f3d15286aed8ae62ad7f994ae7eec552f0215f4c0429406a13a271c4f6a0c1cb3d69ae38c1e3fd5daa0275c3ce167cb3eb51a60daecaa1831622

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbc7723.tmp

MD5 3e9ebb367f9d9c890116d3f09ddd48be
SHA1 8e258461d60b018ecd5e1f1cd7004c0ba9905295
SHA256 1ddeb103afa7964848b1d32921dcb77f4bbc19af8354bc3b7f26772c4526cbcf
SHA512 88ea20587894addffff732419004e5449cde1abc925f7a603d0ced6189e7d1a1cd38917b303ea82bfaa4b7d7b41acd2fee7d8ff6137a346f2a238482ead591a5

C:\Users\Admin\AppData\Local\Temp\RES7734.tmp

MD5 9c6405f69a51b533f1a6e2c70caff7b3
SHA1 8d4645a692246dc713529b6eaff0fde83fa51ff3
SHA256 7f8aacd9118a07cdb3a4b0e902ca83662e78c4632dd0b0017ee72903b028ea15
SHA512 59dea50bd9aee34b160b63080c26e44f8430d3c2ecf4e4b58ccabe0f01f1a9da8105d3de8be02e5afa65032f64b38297d2524535408312af19cf7af06923afe9

C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe

MD5 f20ce876b4a43570b2c67aa0dfdaaa0a
SHA1 b6f6b34e7f90a2e7ebd6d1f652ccfcaf29634c8f
SHA256 37addfb740939d12eb6400b15855442e32d5e19b0ca046a637f9bb4e130eea2e
SHA512 499e8fc1713c93a617c34ade8b31cebe9101a4e97f734b6324f5b901de4f20a16da0516e2b61e4730206d609a85e91a6c66d76dadca8c39a7b98cbc12485a000

memory/2892-22-0x00000000741E0000-0x000000007478B000-memory.dmp

memory/1968-23-0x00000000741E0000-0x000000007478B000-memory.dmp

memory/2892-24-0x00000000004A0000-0x00000000004E0000-memory.dmp

memory/2892-25-0x00000000741E0000-0x000000007478B000-memory.dmp

memory/2892-27-0x00000000004A0000-0x00000000004E0000-memory.dmp

memory/2892-28-0x00000000741E0000-0x000000007478B000-memory.dmp

memory/2892-29-0x00000000741E0000-0x000000007478B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 01:40

Reported

2024-04-11 01:43

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp82FB.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp82FB.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp82FB.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3996 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3996 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3996 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4900 wrote to memory of 224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4900 wrote to memory of 224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4900 wrote to memory of 224 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3996 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp82FB.tmp.exe
PID 3996 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp82FB.tmp.exe
PID 3996 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp82FB.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ai1asdzd.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8472.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA45F7123AF3A4641A6D48D74FBDCF6D.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp82FB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp82FB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ec6928530f59c9665688835cc5756c1a_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 tcp
N/A 127.0.0.1:127 tcp

Files

memory/3996-0-0x0000000074B30000-0x00000000750E1000-memory.dmp

memory/3996-1-0x0000000074B30000-0x00000000750E1000-memory.dmp

memory/3996-2-0x0000000001540000-0x0000000001550000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ai1asdzd.cmdline

MD5 6503818c55c297800cff8f5e056ea106
SHA1 1aed37991b783592643cf425dc7ddbc0d82872c5
SHA256 129e348697c8b5ea9025bb1b652cea7b4b251f048d1eb97e690ad55581be959b
SHA512 8ab57229bc8141a778457da763f85a86745ccca5a3caf71d04d7b6c167b1facb353a84e1334ec60f4dee742ca81ed65bd0e77c5c43bb0a7fa0751cfd5fa52508

memory/4900-8-0x00000000024D0000-0x00000000024E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ai1asdzd.0.vb

MD5 70ea843bbb76ad05db2fdde08371cce0
SHA1 5f85fdd56aca7be1bf03bac63f010d8ae3fb34ee
SHA256 31f9499226bb318c513f00556f2abdae44cb8e2793b71febe355c065153a9eb5
SHA512 28d6218a30a53c25d89f740e27c3b42e025e0cbf6dfaf378a34ea6e4be964658b0676b66c48f9c1fc8ef06023e39c05f7e864f38ab760e4ae69e80504db10795

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbcA45F7123AF3A4641A6D48D74FBDCF6D.TMP

MD5 19a8e6f1d2ea478dbdb7ca09998369a3
SHA1 f463feee80fcce75908354b62831b5e9819c2859
SHA256 ace9024998bdce58d39ec7feccedf931278465cdb94cf5ac9e55309542bec7bf
SHA512 4dda7143ac91a2ae12c6597fb25d932c10d634092a63535c52e2d4eee5ec3b10fe28903c78be162a2798c09ec50ff436a5814adb8e681c5cfa24b1de13a20d05

C:\Users\Admin\AppData\Local\Temp\RES8472.tmp

MD5 d10284553d592d41145a69d655d31df7
SHA1 eba36c8952ca5b49ea95a48c544fec3bf94d394b
SHA256 52b8cbeae91143c8ddaeafd9475448fb957c93c83a140816d610e567114d71e6
SHA512 986d507b1bc1f1517486d3483ac201b64e196c00aa91059b654f59c134f1427f6b07667c688adfde5477b4bd9c0d49805cef1df0a6f3f20fcd392e7a5e6c6fcd

C:\Users\Admin\AppData\Local\Temp\tmp82FB.tmp.exe

MD5 4473d6e545de3e032f73d3bb65148880
SHA1 f8d85dfba23370c219d1a44cc49d35d04d88d510
SHA256 55ba3559e60f9136382767787fbbfb0a8638e5bd3a7f964dda893e7c0d01f434
SHA512 db6a33349dc6c1a524be5ca46f9261060be4270f16f4ad4109662357d316d787ada39fd3dabc598e55986e0815846a9f51ec2a1a55a21641d8a0f587b3421552

memory/3996-21-0x0000000074B30000-0x00000000750E1000-memory.dmp

memory/208-22-0x0000000074B30000-0x00000000750E1000-memory.dmp

memory/208-23-0x0000000001410000-0x0000000001420000-memory.dmp

memory/208-24-0x0000000074B30000-0x00000000750E1000-memory.dmp

memory/208-26-0x0000000001410000-0x0000000001420000-memory.dmp

memory/208-27-0x0000000074B30000-0x00000000750E1000-memory.dmp

memory/208-28-0x0000000001410000-0x0000000001420000-memory.dmp

memory/208-29-0x0000000001410000-0x0000000001420000-memory.dmp