Malware Analysis Report

2024-11-16 13:11

Sample ID 240411-jeha5ahh4y
Target ece603c81456294d88e05e0c42f81e51_JaffaCakes118
SHA256 b01a9945d1ac0c4fcb81680837b580e07b56f830bbf61d5c1ca071f8618a3f5a
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b01a9945d1ac0c4fcb81680837b580e07b56f830bbf61d5c1ca071f8618a3f5a

Threat Level: Known bad

The file ece603c81456294d88e05e0c42f81e51_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

Loads dropped DLL

Deletes itself

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 07:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 07:34

Reported

2024-04-11 07:37

Platform

win7-20240215-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2316 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2316 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2316 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1744 wrote to memory of 2084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1744 wrote to memory of 2084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1744 wrote to memory of 2084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1744 wrote to memory of 2084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2316 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe
PID 2316 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe
PID 2316 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe
PID 2316 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7m_a_az7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1112.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1111.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 tcp

Files

memory/2316-0-0x00000000742E0000-0x000000007488B000-memory.dmp

memory/2316-1-0x0000000000150000-0x0000000000190000-memory.dmp

memory/2316-2-0x00000000742E0000-0x000000007488B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7m_a_az7.cmdline

MD5 8e6dd8f164c62464647f1f1c20d8c6ad
SHA1 fbc654481bc79d3630fbbc4f5e7fad4d15510acc
SHA256 1e4598effc92ff14be4455185925ba048e80b0af02a098cab28066ae36b7edc2
SHA512 5d36035fb05a02252ab532b0179bdc3307990cef46b5046ef9f3022aba195812cf4b5d320b23df21c73ae14095ecaa1f70227a7137d8cdf9249a36b3efb55caa

C:\Users\Admin\AppData\Local\Temp\7m_a_az7.0.vb

MD5 bc6dac9026e3e891df386536f018a652
SHA1 88e69709ca10992d168084ac372d50e20c029091
SHA256 e80163f5707a60ba8802946830dbefea73cc7117cda2bae1d4cd3dd0b6dadc25
SHA512 f53b5dcf521336cbab76568678cc23b13cfaac92de77ad2007fb79cc21c2da7208dfdc67d7a6cf680027d924135a17e5b11042c9e702702a0392c578bacf76f8

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbc1111.tmp

MD5 0012eb1cade60971198c19845856ad20
SHA1 785b28775c982a0990ac693879bfc9a66b11f8a7
SHA256 9465cc8b54e005cc53514743896cf551373896684a243d9d929614fc6e153285
SHA512 887fd9bb4b712588b34d85a65d7a3913f7d63c23d9cc4e4dfd6c544aa88c9a570860b97ec1bc88a169b02aba06180ea25c27b0a707a0207722abe28b6cec9ca0

C:\Users\Admin\AppData\Local\Temp\RES1112.tmp

MD5 9afacb8ffb1936e1316bcc3e78d03931
SHA1 2d130fe4ed8266860a053d2e3752aa3b90bfcd9f
SHA256 11f206f0e5ec7dca3a77a327b52881eaf2f239debca60b40e4ba386b1d94354b
SHA512 04fc12857a46e4f08ed6a9e3ccbd0e5f309ae2ae08d38d9583c985215620a781c8f000b3a2587ff61b4e880a423e2238519fb9d559eac19d3547d9181b704dd8

C:\Users\Admin\AppData\Local\Temp\tmp1046.tmp.exe

MD5 cdf9fc336a87e5b0baa9df1c144e7242
SHA1 2ad666856d3f230d5f64da1f37aa86d6965461b0
SHA256 6ee647040c2d7d39c0df192cd4cc79d733ea02f68e62c3a52f63e8c67d1f17e9
SHA512 8e482225e52b75fddbff856d18654c58e91cd9289400c5aa09408d9c62d1476203b2dd2d6d45465e72ba022c8d4813e5c4666d2eaae27e46536e01ed4cebbeb5

memory/2676-23-0x00000000742E0000-0x000000007488B000-memory.dmp

memory/2316-22-0x00000000742E0000-0x000000007488B000-memory.dmp

memory/2676-24-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

memory/2676-25-0x00000000742E0000-0x000000007488B000-memory.dmp

memory/2676-27-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

memory/2676-28-0x00000000742E0000-0x000000007488B000-memory.dmp

memory/2676-29-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 07:34

Reported

2024-04-11 07:37

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4752 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4752 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4752 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4100 wrote to memory of 4688 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4100 wrote to memory of 4688 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4100 wrote to memory of 4688 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4752 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe
PID 4752 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe
PID 4752 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kixbg8iu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA19790BF76044A82965D41AABA11A33F.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ece603c81456294d88e05e0c42f81e51_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/4752-0-0x0000000074AF0000-0x00000000750A1000-memory.dmp

memory/4752-1-0x0000000001770000-0x0000000001780000-memory.dmp

memory/4752-2-0x0000000074AF0000-0x00000000750A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kixbg8iu.cmdline

MD5 014c5784dda013648ece660e005651da
SHA1 1b6f490b744132b100e5ffd61adb557bd5abf84c
SHA256 ab2b6fe10654e15b66419fe6e9c91418a9d16533d08a9c54726ce95ebb12a4ad
SHA512 fadb17d4237a00c8442c64e2dd7eb6c32d8e51ef831abc3df1d73c53c91b5f3ee2003296c4812099a686c186ed3dec4421530cb83cf6f42c83533ffcdab54808

memory/4100-8-0x0000000002430000-0x0000000002440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kixbg8iu.0.vb

MD5 e13f2f90275faa66616141708ebe6049
SHA1 332dee9ae453d9a367026a007c1c9577ff4ffbbe
SHA256 fd06903a459be31012fef4debe611ef56425c0eaa76c49f38ca95babfbaf9948
SHA512 3a34b87cf06e1fa9a6439aae98f492a3ec95f0cc258a69238844e004b1ec8237645b4a13cb79df05cd672c145db6116c2dab9d4cb9532ca2033d999aa16d90e7

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbcA19790BF76044A82965D41AABA11A33F.TMP

MD5 f6faaf7fdb38f8d031a212c1bc11337d
SHA1 c84b96a14f45d21b1c1a0728d2b417dcf10ff0fc
SHA256 a6c82131bbe4f1bf510c82e7c8adcbbb2451c9a9661a71522c9eaaa41cd8438d
SHA512 9fcb6d8d48a900a8f40eba5df34cc306218e08f87df9fb33be5a26d01805d100e71c0447d9aeb01713c3498c54c95f428f7a93bc8283cc4586b2d6075a5e44e5

C:\Users\Admin\AppData\Local\Temp\RES3E22.tmp

MD5 1727472890186d3f9f92b6da9e118990
SHA1 0417c9af5cf0122d5eacaba335c89e0614c6ddb1
SHA256 6f609cd7c47bb80a011acf95c109990eff4afa6b001bf4861d9334f32488b5dd
SHA512 7e3111536cfd606a91634121b906d7cfb96ea41e50418c6cd74bb40af9728ae949d9e4df879747abe119fa3bf66c085c34b93911d993c7844f2390c8ea39af5b

C:\Users\Admin\AppData\Local\Temp\tmp3CDA.tmp.exe

MD5 2e9d455342935463d2a98db8bcaac0a1
SHA1 c5321b34807d008573f8969e9c9656ad729129c5
SHA256 eddf749a115e85869f0b4e7326f267f6f3b0a1222eb68666f2b4615a07e2b66f
SHA512 04cfba40d5af9fb1b014d59fca7a03661a6b0c10ea22ad2e72b5e65eb1b6477a304a11f70e3fff8171bf5edc1dcc1c57ac644bbe346739d8b11964eeb74db41b

memory/4752-21-0x0000000074AF0000-0x00000000750A1000-memory.dmp

memory/4608-23-0x0000000001470000-0x0000000001480000-memory.dmp

memory/4608-22-0x0000000074AF0000-0x00000000750A1000-memory.dmp

memory/4608-24-0x0000000074AF0000-0x00000000750A1000-memory.dmp

memory/4608-26-0x0000000001470000-0x0000000001480000-memory.dmp

memory/4608-27-0x0000000074AF0000-0x00000000750A1000-memory.dmp

memory/4608-28-0x0000000001470000-0x0000000001480000-memory.dmp