Analysis Overview
SHA256
793122bd1d2a248966abe74363e4db61945ad24b133c38f78db67da550cccd58
Threat Level: Known bad
The file edd8e3023a94a085a99a36ee52560605_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Uses the VBS compiler for execution
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 16:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 16:22
Reported
2024-04-11 16:25
Platform
win7-20240221-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
MetamorpherRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp70CD.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\edd8e3023a94a085a99a36ee52560605_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\edd8e3023a94a085a99a36ee52560605_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp70CD.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\edd8e3023a94a085a99a36ee52560605_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp70CD.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\edd8e3023a94a085a99a36ee52560605_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edd8e3023a94a085a99a36ee52560605_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0b3cenot.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72F0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72EF.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp70CD.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp70CD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\edd8e3023a94a085a99a36ee52560605_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2692-25-0x0000000074A80000-0x000000007502B000-memory.dmp
memory/2692-24-0x0000000000C80000-0x0000000000CC0000-memory.dmp
memory/2692-23-0x0000000074A80000-0x000000007502B000-memory.dmp
memory/3036-22-0x0000000074A80000-0x000000007502B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp70CD.tmp.exe
| MD5 | eb95b291bacadd73e8e93c85da22208e |
| SHA1 | 4b46f0a95aba1e6df6fd0dd6cd2768efc88ba433 |
| SHA256 | 975d0462f1cfaec6ce275a515159c60f730d4295c96a1a8645732a82de285b80 |
| SHA512 | 0f7fcc6873c3079e9c081ba3a241e61d626e10400c418ac72e00fbfef79087e88e0377710612c540e287e6d3e03cab1d7652e6244eb062be4c16a26ed646517d |
C:\Users\Admin\AppData\Local\Temp\RES72F0.tmp
| MD5 | 253d784524671eb15db9d7ba217cbff6 |
| SHA1 | 4692f080955a2bea1dc28c32e8ab5788d837c1a5 |
| SHA256 | a261763d9e2b5db2a097599d4d5b8d4a9c2746782163f91b1b7c42d8ec6a72bb |
| SHA512 | a4bcda1e07ab1027cd0b335bd1ac9546b79dd9ab46b1dcecbd1f17aba1c4c8be310d04e0d6617a58a478a820edae2d408707bdfa7661c1c8b8d28633953e0bae |
C:\Users\Admin\AppData\Local\Temp\vbc72EF.tmp
| MD5 | d4519b03a6197be47ba052834137b693 |
| SHA1 | 219e6beef9be3f871a4687d698b90dc643ae84a0 |
| SHA256 | b43fbcbe7ead79def4abe8711190cf50442deb8079f6bd73c81d1baae5c5e769 |
| SHA512 | add5cdf94340983f1240b59c78075555704870e80157a1682b8e8a7c933452dbf28b86e187bc88aa807eb80cac7cdc3e6f58aa61bc13d00ab1a8bf232c7b37f7 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8fd8e054ba10661e530e54511658ac20 |
| SHA1 | 72911622012ddf68f95c1e1424894ecb4442e6fd |
| SHA256 | 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7 |
| SHA512 | c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c |
C:\Users\Admin\AppData\Local\Temp\0b3cenot.0.vb
| MD5 | 2385d92268b72a547ca79b601fac3b9c |
| SHA1 | 87bc9a1d4de938a52490f1fcff25c0b3c9d91758 |
| SHA256 | 5620ab1ba017a9f270b4572f282a61db88a8215bd8bd17e078f7cb9681d112cd |
| SHA512 | c01ee599184cf2eca905231de018141a793afdb8ffc7b2ebf3de45ef8841db1daee917b09867e1d62c2ffa3be53dbe61047ac89ced5ea5441c8c0417cda62bad |
C:\Users\Admin\AppData\Local\Temp\0b3cenot.cmdline
| MD5 | 014a137e346be8638852a6e2f0bceba6 |
| SHA1 | 1f251230cd82612922c0e0c9e5cea822a479bedb |
| SHA256 | ccb49e95056142f71789c2698466bd36461ba9191e7403b3b84f7c7ae439ef7d |
| SHA512 | a7c4394263421c47994e83100cb8280daba9af86837e929a32ca85572707421cd0c79319aca53163a38f3ad2e87ef7db02f27a95f00dcab1fb12b0c77274ecf5 |
memory/3036-2-0x0000000001F10000-0x0000000001F50000-memory.dmp
memory/3036-1-0x0000000074A80000-0x000000007502B000-memory.dmp
memory/3036-0-0x0000000074A80000-0x000000007502B000-memory.dmp
memory/2692-27-0x0000000000C80000-0x0000000000CC0000-memory.dmp
memory/2692-28-0x0000000074A80000-0x000000007502B000-memory.dmp
memory/2692-29-0x0000000000C80000-0x0000000000CC0000-memory.dmp
memory/2692-30-0x0000000000C80000-0x0000000000CC0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 16:22
Reported
2024-04-11 16:25
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\edd8e3023a94a085a99a36ee52560605_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\edd8e3023a94a085a99a36ee52560605_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\edd8e3023a94a085a99a36ee52560605_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edd8e3023a94a085a99a36ee52560605_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0a_8vka7.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES374C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7EEC3B13848412D93F190BDA0336E4F.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp.exe" C:\Users\Admin\AppData\Local\Temp\edd8e3023a94a085a99a36ee52560605_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | tcp |
Files
memory/3576-0-0x0000000074B80000-0x0000000075131000-memory.dmp
memory/3576-1-0x0000000001410000-0x0000000001420000-memory.dmp
memory/3576-2-0x0000000074B80000-0x0000000075131000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0a_8vka7.cmdline
| MD5 | 893eb2362870f636b0f74194ac91c1e6 |
| SHA1 | 70ee0ce6766d07b5d97c116edbed2546915a36a6 |
| SHA256 | f79d8620b40721a48b4ae42c1968aacc4cd7942cdffaafeed16f05a313674117 |
| SHA512 | 82a51d0b6e431e8938fd80ac14db09bec354244b14e37dffa308c05c1c0000262242c4e3aa06082724072a3cab7a237666fbf1585b877b96df1da38388a0476b |
memory/3212-8-0x0000000002240000-0x0000000002250000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0a_8vka7.0.vb
| MD5 | f0af8e23953b711a1d2d5890d9f13f12 |
| SHA1 | 390b61d6696d3506c62d2c443fbf933c5785524c |
| SHA256 | e45df37a1205a29b341826410480e7604a9841d8fd211c7fd1c2bb0b1cb54192 |
| SHA512 | a30f2809c2b442cb3f6154ab7f404299e20d56af36e1735a84f1bfd366ccd3ac025f39bd0e8621d06950500b61b89f914699ef779200fb8c9bf84b8afa834813 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8fd8e054ba10661e530e54511658ac20 |
| SHA1 | 72911622012ddf68f95c1e1424894ecb4442e6fd |
| SHA256 | 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7 |
| SHA512 | c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c |
C:\Users\Admin\AppData\Local\Temp\vbc7EEC3B13848412D93F190BDA0336E4F.TMP
| MD5 | bfc14c97113e7bf86d735c4624cbbbc1 |
| SHA1 | 94d97a4c96d6399d5bc2b825b355c82d44f72467 |
| SHA256 | 05a9281e8a9d470aab7c22a9059350957201f008ec47834bc82230ebf4c94d0d |
| SHA512 | 2dc9df37ef061ff0069412f0fdb897bcf4fee7a6a73941a4cc3d571a2702055dba86a1759ddd19c7b63054481eccd57ed6bd7e02d937b87e20eab6f7da2b6aa7 |
C:\Users\Admin\AppData\Local\Temp\RES374C.tmp
| MD5 | 9d5ba6f83c47424c0c90c10c31c461b9 |
| SHA1 | 533ff9d6324eca38dc7c56289210b011d69d1494 |
| SHA256 | ef56cb7ced34a51025acb7f74da038f80f79b1af4bc0f2391bf651767de06990 |
| SHA512 | b29c7fd9639a851a956a3f0b994d4ce4a88feec393f30a8915dc954daf10e455ce7dea0391b06e5f5c226fbcb45ec51c8cb0ff5f60b1f82828fc4ff9195a3d93 |
C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp.exe
| MD5 | bc2041a03e63aefa6f4283f78eedaa45 |
| SHA1 | 536cc1801db4c6bb04c5cebf257f29a8d13725c9 |
| SHA256 | f678922f19c86f867cce139f762c43340b3067014dd2e70293de1f9b678d756d |
| SHA512 | 4b99413fb28085bbbded458e8cd52a87c261bff46949406362ca9f861e33cfe777e84c229d6cfd299763b0228afbe10a3ffc25a7eb415b8b7d36d67556fe4b7e |
memory/4692-22-0x0000000074B80000-0x0000000075131000-memory.dmp
memory/3576-21-0x0000000074B80000-0x0000000075131000-memory.dmp
memory/4692-23-0x0000000001960000-0x0000000001970000-memory.dmp
memory/4692-24-0x0000000074B80000-0x0000000075131000-memory.dmp
memory/4692-26-0x0000000074B80000-0x0000000075131000-memory.dmp
memory/4692-27-0x0000000001960000-0x0000000001970000-memory.dmp
memory/4692-28-0x0000000001960000-0x0000000001970000-memory.dmp