Malware Analysis Report

2024-11-16 13:11

Sample ID 240411-v5pzfabf9v
Target edf9efe46c57e086196e336ddeab1e39_JaffaCakes118
SHA256 cedc1ea04ff1358268d7384072db8ea16302a321f3406fbf8ea8a0a3b0685641
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cedc1ea04ff1358268d7384072db8ea16302a321f3406fbf8ea8a0a3b0685641

Threat Level: Known bad

The file edf9efe46c57e086196e336ddeab1e39_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Uses the VBS compiler for execution

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 17:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 17:34

Reported

2024-04-11 17:37

Platform

win7-20240220-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2872 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2872 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2872 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2904 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2904 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2904 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2904 wrote to memory of 2528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2872 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe
PID 2872 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe
PID 2872 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe
PID 2872 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mh2xvqxw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES142D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc142C.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe" C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2872-1-0x0000000000240000-0x0000000000280000-memory.dmp

memory/2872-2-0x0000000074750000-0x0000000074CFB000-memory.dmp

memory/2872-0-0x0000000074750000-0x0000000074CFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mh2xvqxw.cmdline

MD5 5f4933034f21225ac582bb0b969eec1b
SHA1 d75e4f613212ae6f2d107484fb50000830fea610
SHA256 7d0be7962d4de78c76c79c0fcfc9c36c0db05f12744af8f5aaa1c7626e4aea15
SHA512 a1c12dac9beaaa64888baa9e7e79de3846f425bffaf511f59d2c602bc3b510efd6ba1e8c806b2eca55567f80c5d39672cb0234c0ffb96f4d9482a9d301930920

C:\Users\Admin\AppData\Local\Temp\mh2xvqxw.0.vb

MD5 8076004abb3cf70391babec2881f82b5
SHA1 77edafed73acc3d16d200ac436f4c138fa8389f7
SHA256 ea7e4dfd4be09c6738b14cfc55385be578b17be6aa9137e8819bf19706152a9c
SHA512 56d171ae26ac453c20fe3afd7e8cb2f0d72acb5469d0dd27fd000c4cdf4f1bbfcf17abffb5da384868afccf8abe09d4068abd7fb5ec52a0689e6a30ecca15e63

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc142C.tmp

MD5 20287f490cd80f66b2a99ecb5123f0d5
SHA1 5839bb7b850163cda303f82ffceab8209d7f0788
SHA256 5f0250c0e66f988c1810ec98b1c1e059851c104a7bdecb730407e929cfdda64d
SHA512 ed917604029a1711bde5fd3c6459d7a6ea54e9c3f2c256b58035808a3d42b6f79af99887ce0f0c3366863b5f8b40fffc5dda6d71a6b167bd09f3d5ecf275bb85

C:\Users\Admin\AppData\Local\Temp\RES142D.tmp

MD5 dd33200bc4907b776833307194396ad8
SHA1 4e5b83167a25793dfc0edf972734ad002c4f8419
SHA256 3a7c624ceb614910d2fa319ca6be2240b52909d3ab208654fbfe8b4658f819e0
SHA512 ee3924bd2d7066eca477838a1bb565151f49624dffafe1405c74238325f047f68c5e03ef85e4216dfc303506cfbb2ac978403b99e5b980533c348891bbce5b9a

C:\Users\Admin\AppData\Local\Temp\tmp1381.tmp.exe

MD5 47d85faa6b8fbf4f98e0e9a5a9482624
SHA1 c179b30cd2aa962ec2fdc441aa6529e78fa54abe
SHA256 5648cad2eebdfc34e9db486b8d08a4fd5c6558f1ee5545ab0915ad9b926ea317
SHA512 a35d50e36f7285201d5f294c5c56b8ffeb83be03d056977dbf4250ab3e6d5032fd3c82b0d58b0708c92ab215e4cf711acb2132fbceb3f2ef9775ca3575c9ef01

memory/2872-22-0x0000000074750000-0x0000000074CFB000-memory.dmp

memory/2820-23-0x0000000074750000-0x0000000074CFB000-memory.dmp

memory/2820-24-0x0000000000920000-0x0000000000960000-memory.dmp

memory/2820-25-0x0000000074750000-0x0000000074CFB000-memory.dmp

memory/2820-27-0x0000000000920000-0x0000000000960000-memory.dmp

memory/2820-29-0x0000000000920000-0x0000000000960000-memory.dmp

memory/2820-28-0x0000000074750000-0x0000000074CFB000-memory.dmp

memory/2820-30-0x0000000000920000-0x0000000000960000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 17:34

Reported

2024-04-11 17:37

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4333.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4333.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp4333.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1868 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1868 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 880 wrote to memory of 3396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 880 wrote to memory of 3396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 880 wrote to memory of 3396 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1868 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp4333.tmp.exe
PID 1868 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp4333.tmp.exe
PID 1868 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp4333.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dt1b_4jy.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES442D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EA836683F4A475E80944F7ED30E567.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp4333.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4333.tmp.exe" C:\Users\Admin\AppData\Local\Temp\edf9efe46c57e086196e336ddeab1e39_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 81.139.73.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/1868-0-0x00000000751B0000-0x0000000075761000-memory.dmp

memory/1868-1-0x00000000751B0000-0x0000000075761000-memory.dmp

memory/1868-2-0x0000000001380000-0x0000000001390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dt1b_4jy.cmdline

MD5 3335c3e9fcfd3893a076c1f88b255b4d
SHA1 75443d17536b97bf0c8ce12a1fefc793e1eb5275
SHA256 0d612617217d21ce0ca3abfa648b70a0ab09417e7c024f7322c3d4593c74b8ab
SHA512 e47e513c5e87d96ec13583d879332904c2432e4f8216c5cc5ce49a4d7a76029db51a0d43d921f3e15c1a58cc1672d04685b5f632d303ad5a04249099e5ede169

memory/880-8-0x0000000002490000-0x00000000024A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dt1b_4jy.0.vb

MD5 d2d4e642e51f8a66ebf21d04376e57b9
SHA1 e413f550236011b28cb8b9f1bde32531474806e7
SHA256 de44f3412628fea294a67890f3db8a046cca0089096a2331f539220dc97a57ff
SHA512 c5b0715ee07d18f4fc35c332f994c02ad648e37a1a05f1da0b7ee19c55bb61c91da8f188a7e4485e4ffe19635d5aa7fe9c26ab2b6f215bfee69cae288a62f7cd

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc4EA836683F4A475E80944F7ED30E567.TMP

MD5 3c13619745d5fa53b6369b3670a843d2
SHA1 1769de6f85ea70c03e1154c61f0bf7be755200d2
SHA256 6978712e212f1cecb92b71aaabbab46b7b75f12bcde1c4d7509add84a649a2b6
SHA512 c8f8b71ad09e088fc2694556a480725a62951bc248347838c8b13cf902a0cf99c652e05a018bb31c595a4e93507f66e3f8b8b21257d93bedf150bb9ef6321324

C:\Users\Admin\AppData\Local\Temp\RES442D.tmp

MD5 5a4f6328d04ed972b6d5e903ef424364
SHA1 0c4799de193c5ba65b75de9a01f2f527c954aa78
SHA256 bd8ccd42903926d77332301d81585e75986f5293f08b46e150f60cac74de4b1f
SHA512 b2e82873e0fba063ec46b2c6d9f8a63517d2ed354ea0acedde0092cbd9bd7214c21442ff4639a91a70016e1e0ebe6bab6f42acba3eeb6833dcf018f14894678e

C:\Users\Admin\AppData\Local\Temp\tmp4333.tmp.exe

MD5 3644d4001df4a0e573508b23f7632e06
SHA1 9210e430347b3ff63cfc1432e6d99b055bb3b839
SHA256 f19576a0afc60fe1b85f345b120881731d606078751711e90799ac40dd100834
SHA512 d31e6c2093a62b755b35d4096ad8e8085d4fc98b27c95d9929bef744d7a4a822aadbeb93bc6a70f36f6b053c8b145153549d1064d70a72e655672981ad041ce8

memory/1868-21-0x00000000751B0000-0x0000000075761000-memory.dmp

memory/4236-22-0x00000000751B0000-0x0000000075761000-memory.dmp

memory/4236-23-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/4236-24-0x00000000751B0000-0x0000000075761000-memory.dmp

memory/4236-26-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/4236-27-0x00000000751B0000-0x0000000075761000-memory.dmp

memory/4236-28-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/4236-29-0x00000000007A0000-0x00000000007B0000-memory.dmp