Analysis Overview
SHA256
cedc1ea04ff1358268d7384072db8ea16302a321f3406fbf8ea8a0a3b0685641
Threat Level: Known bad
The file edf9efe46c57e086196e336ddeab1e39_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Uses the VBS compiler for execution
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 17:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 17:34
Reported
2024-04-11 17:37
Platform
win7-20240220-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
MetamorpherRAT
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mh2xvqxw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES142D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc142C.tmp"
C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe" C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/2872-1-0x0000000000240000-0x0000000000280000-memory.dmp
memory/2872-2-0x0000000074750000-0x0000000074CFB000-memory.dmp
memory/2872-0-0x0000000074750000-0x0000000074CFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mh2xvqxw.cmdline
| MD5 | 5f4933034f21225ac582bb0b969eec1b |
| SHA1 | d75e4f613212ae6f2d107484fb50000830fea610 |
| SHA256 | 7d0be7962d4de78c76c79c0fcfc9c36c0db05f12744af8f5aaa1c7626e4aea15 |
| SHA512 | a1c12dac9beaaa64888baa9e7e79de3846f425bffaf511f59d2c602bc3b510efd6ba1e8c806b2eca55567f80c5d39672cb0234c0ffb96f4d9482a9d301930920 |
C:\Users\Admin\AppData\Local\Temp\mh2xvqxw.0.vb
| MD5 | 8076004abb3cf70391babec2881f82b5 |
| SHA1 | 77edafed73acc3d16d200ac436f4c138fa8389f7 |
| SHA256 | ea7e4dfd4be09c6738b14cfc55385be578b17be6aa9137e8819bf19706152a9c |
| SHA512 | 56d171ae26ac453c20fe3afd7e8cb2f0d72acb5469d0dd27fd000c4cdf4f1bbfcf17abffb5da384868afccf8abe09d4068abd7fb5ec52a0689e6a30ecca15e63 |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8fd8e054ba10661e530e54511658ac20 |
| SHA1 | 72911622012ddf68f95c1e1424894ecb4442e6fd |
| SHA256 | 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7 |
| SHA512 | c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c |
C:\Users\Admin\AppData\Local\Temp\vbc142C.tmp
| MD5 | 20287f490cd80f66b2a99ecb5123f0d5 |
| SHA1 | 5839bb7b850163cda303f82ffceab8209d7f0788 |
| SHA256 | 5f0250c0e66f988c1810ec98b1c1e059851c104a7bdecb730407e929cfdda64d |
| SHA512 | ed917604029a1711bde5fd3c6459d7a6ea54e9c3f2c256b58035808a3d42b6f79af99887ce0f0c3366863b5f8b40fffc5dda6d71a6b167bd09f3d5ecf275bb85 |
C:\Users\Admin\AppData\Local\Temp\RES142D.tmp
| MD5 | dd33200bc4907b776833307194396ad8 |
| SHA1 | 4e5b83167a25793dfc0edf972734ad002c4f8419 |
| SHA256 | 3a7c624ceb614910d2fa319ca6be2240b52909d3ab208654fbfe8b4658f819e0 |
| SHA512 | ee3924bd2d7066eca477838a1bb565151f49624dffafe1405c74238325f047f68c5e03ef85e4216dfc303506cfbb2ac978403b99e5b980533c348891bbce5b9a |
C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe
| MD5 | 47d85faa6b8fbf4f98e0e9a5a9482624 |
| SHA1 | c179b30cd2aa962ec2fdc441aa6529e78fa54abe |
| SHA256 | 5648cad2eebdfc34e9db486b8d08a4fd5c6558f1ee5545ab0915ad9b926ea317 |
| SHA512 | a35d50e36f7285201d5f294c5c56b8ffeb83be03d056977dbf4250ab3e6d5032fd3c82b0d58b0708c92ab215e4cf711acb2132fbceb3f2ef9775ca3575c9ef01 |
memory/2872-22-0x0000000074750000-0x0000000074CFB000-memory.dmp
memory/2820-23-0x0000000074750000-0x0000000074CFB000-memory.dmp
memory/2820-24-0x0000000000920000-0x0000000000960000-memory.dmp
memory/2820-25-0x0000000074750000-0x0000000074CFB000-memory.dmp
memory/2820-27-0x0000000000920000-0x0000000000960000-memory.dmp
memory/2820-29-0x0000000000920000-0x0000000000960000-memory.dmp
memory/2820-28-0x0000000074750000-0x0000000074CFB000-memory.dmp
memory/2820-30-0x0000000000920000-0x0000000000960000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 17:34
Reported
2024-04-11 17:37
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
MetamorpherRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4333.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp4333.tmp.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4333.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dt1b_4jy.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES442D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EA836683F4A475E80944F7ED30E567.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp4333.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4333.tmp.exe" C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 81.139.73.23.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | rwkeith.no-ip.org | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
| US | 34.67.9.172:80 | bejnz.com | tcp |
Files
memory/1868-0-0x00000000751B0000-0x0000000075761000-memory.dmp
memory/1868-1-0x00000000751B0000-0x0000000075761000-memory.dmp
memory/1868-2-0x0000000001380000-0x0000000001390000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dt1b_4jy.cmdline
| MD5 | 3335c3e9fcfd3893a076c1f88b255b4d |
| SHA1 | 75443d17536b97bf0c8ce12a1fefc793e1eb5275 |
| SHA256 | 0d612617217d21ce0ca3abfa648b70a0ab09417e7c024f7322c3d4593c74b8ab |
| SHA512 | e47e513c5e87d96ec13583d879332904c2432e4f8216c5cc5ce49a4d7a76029db51a0d43d921f3e15c1a58cc1672d04685b5f632d303ad5a04249099e5ede169 |
memory/880-8-0x0000000002490000-0x00000000024A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dt1b_4jy.0.vb
| MD5 | d2d4e642e51f8a66ebf21d04376e57b9 |
| SHA1 | e413f550236011b28cb8b9f1bde32531474806e7 |
| SHA256 | de44f3412628fea294a67890f3db8a046cca0089096a2331f539220dc97a57ff |
| SHA512 | c5b0715ee07d18f4fc35c332f994c02ad648e37a1a05f1da0b7ee19c55bb61c91da8f188a7e4485e4ffe19635d5aa7fe9c26ab2b6f215bfee69cae288a62f7cd |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8fd8e054ba10661e530e54511658ac20 |
| SHA1 | 72911622012ddf68f95c1e1424894ecb4442e6fd |
| SHA256 | 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7 |
| SHA512 | c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c |
C:\Users\Admin\AppData\Local\Temp\vbc4EA836683F4A475E80944F7ED30E567.TMP
| MD5 | 3c13619745d5fa53b6369b3670a843d2 |
| SHA1 | 1769de6f85ea70c03e1154c61f0bf7be755200d2 |
| SHA256 | 6978712e212f1cecb92b71aaabbab46b7b75f12bcde1c4d7509add84a649a2b6 |
| SHA512 | c8f8b71ad09e088fc2694556a480725a62951bc248347838c8b13cf902a0cf99c652e05a018bb31c595a4e93507f66e3f8b8b21257d93bedf150bb9ef6321324 |
C:\Users\Admin\AppData\Local\Temp\RES442D.tmp
| MD5 | 5a4f6328d04ed972b6d5e903ef424364 |
| SHA1 | 0c4799de193c5ba65b75de9a01f2f527c954aa78 |
| SHA256 | bd8ccd42903926d77332301d81585e75986f5293f08b46e150f60cac74de4b1f |
| SHA512 | b2e82873e0fba063ec46b2c6d9f8a63517d2ed354ea0acedde0092cbd9bd7214c21442ff4639a91a70016e1e0ebe6bab6f42acba3eeb6833dcf018f14894678e |
C:\Users\Admin\AppData\Local\Temp\tmp4333.tmp.exe
| MD5 | 3644d4001df4a0e573508b23f7632e06 |
| SHA1 | 9210e430347b3ff63cfc1432e6d99b055bb3b839 |
| SHA256 | f19576a0afc60fe1b85f345b120881731d606078751711e90799ac40dd100834 |
| SHA512 | d31e6c2093a62b755b35d4096ad8e8085d4fc98b27c95d9929bef744d7a4a822aadbeb93bc6a70f36f6b053c8b145153549d1064d70a72e655672981ad041ce8 |
memory/1868-21-0x00000000751B0000-0x0000000075761000-memory.dmp
memory/4236-22-0x00000000751B0000-0x0000000075761000-memory.dmp
memory/4236-23-0x00000000007A0000-0x00000000007B0000-memory.dmp
memory/4236-24-0x00000000751B0000-0x0000000075761000-memory.dmp
memory/4236-26-0x00000000007A0000-0x00000000007B0000-memory.dmp
memory/4236-27-0x00000000751B0000-0x0000000075761000-memory.dmp
memory/4236-28-0x00000000007A0000-0x00000000007B0000-memory.dmp
memory/4236-29-0x00000000007A0000-0x00000000007B0000-memory.dmp