Malware Analysis Report

2024-11-16 13:10

Sample ID 240411-ylnh2sef9v
Target ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118
SHA256 5720a52a2a373a244245f2791768c51f97f4fb5b263e30beb41713070b1b95d9
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5720a52a2a373a244245f2791768c51f97f4fb5b263e30beb41713070b1b95d9

Threat Level: Known bad

The file ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 19:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 19:52

Reported

2024-04-11 19:55

Platform

win7-20240221-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2872 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2872 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2872 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2844 wrote to memory of 2524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2844 wrote to memory of 2524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2844 wrote to memory of 2524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2844 wrote to memory of 2524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2872 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe
PID 2872 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe
PID 2872 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe
PID 2872 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xzf2on0g.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C3F.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/2872-0-0x0000000074470000-0x0000000074A1B000-memory.dmp

memory/2872-1-0x0000000074470000-0x0000000074A1B000-memory.dmp

memory/2872-2-0x0000000000C70000-0x0000000000CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xzf2on0g.cmdline

MD5 df46cd1e75861e5533b612cae21caef5
SHA1 eb8c30edbe2cc7b61721ef1ffd4dff65da7e67fe
SHA256 792ea040857195885dc784bcfce2b94bfc645a004d109260a57a21b5b126a5ee
SHA512 079442fe320ed53fe93b8c6921f59cb1bea78a797b34349b7761b973aeeb1671becb6891562ecc208a668d76bdd91094eb8356b568446fa3dbfbf94acd59ff43

memory/2844-8-0x0000000001FB0000-0x0000000001FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xzf2on0g.0.vb

MD5 ee404e6ca88f0cdf097e7e4a2373e959
SHA1 e34b7d5658b3875733b927e01886c764074745b8
SHA256 5f6eafe36902724d370048e5c8b878f8b3f20319ce854b1c49220da97d3a1465
SHA512 de69ec49f295bcaa3ef46fdfe7d75a433883b58b912708cd0c43ed123403207516b0731507e8515c1e9db6be2f07279421568114a8762be79f5b02a57367ce86

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbc9C3F.tmp

MD5 546a4f83140239591d569c20f4e5b746
SHA1 67ed9d1401e7e5b056236196770b2419810e2029
SHA256 e3ba429cc36a271592180699a8704ea28f01a228cfb31b2171cfd912fc0bae70
SHA512 13261c7f78ea4c2369b22cf053abde0471c55250be44a6c8ed1f1f28ca9f1c156bae9ae9ec7ff517d87143bdae7b7c43fb2ff977aa6ad2eadb583a61903e6444

C:\Users\Admin\AppData\Local\Temp\RES9C40.tmp

MD5 95ea9ea48100836a726fb3ce032e706f
SHA1 628d41f4f8d7dc2bce50da0c3a4918b4705eeb0e
SHA256 4aac66cee2d20bd5e683884d4dbb6f024ab482060b20c3e5c37346dae31e247d
SHA512 e79f861d2cea9ec6abc8fa8d4c9ddb1c1a391a310c8cbc485ac3d234fcd5757046d4af119cba3e2ce1386b1c8b4363b84eb4d1c690d7ce1e392a23b54b711050

C:\Users\Admin\AppData\Local\Temp\tmp9914.tmp.exe

MD5 c5a8788d40aab859e32c7cdb592b9aaa
SHA1 a452049f278b003d8a642f13b87c8d5cdc29a343
SHA256 1329d9981a4e98b0c22efe181c1991c9b06a9b36eefb212368bc5ca8bf988cc3
SHA512 458ca98a2a31a235244615af6c273b2390db31b3eac9135453a985a73bdfda7b6ebc2f9327949579b53cbaf24032f106d59ecf23e18c5513962e753909ad111f

memory/2576-23-0x0000000074470000-0x0000000074A1B000-memory.dmp

memory/2872-25-0x0000000074470000-0x0000000074A1B000-memory.dmp

memory/2576-24-0x0000000000A00000-0x0000000000A40000-memory.dmp

memory/2576-26-0x0000000074470000-0x0000000074A1B000-memory.dmp

memory/2576-28-0x0000000000A00000-0x0000000000A40000-memory.dmp

memory/2576-29-0x0000000074470000-0x0000000074A1B000-memory.dmp

memory/2576-30-0x0000000074470000-0x0000000074A1B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 19:52

Reported

2024-04-11 19:55

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2380 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1444 wrote to memory of 3516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1444 wrote to memory of 3516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1444 wrote to memory of 3516 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2380 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.exe
PID 2380 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.exe
PID 2380 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zkxloggf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5091.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA78FCC11B41415DA232AA7D56FE67F6.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ee36f22e4f820cfb9ce70b1acc7b38dd_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 34.67.9.172:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/2380-0-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/2380-1-0x0000000001B50000-0x0000000001B60000-memory.dmp

memory/2380-2-0x0000000074DD0000-0x0000000075381000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zkxloggf.cmdline

MD5 8a3764d9f69b9cf35bd3c001c72a7023
SHA1 e32f6134b5e5fc0fbe7a38412f6e102e4029b75a
SHA256 e108b2aa9b88b9287b47998d4198bf7aa073cbb686a12dba06d849b316777a30
SHA512 1fcfb8022abc1382819847499a3319896f9b7480dd59883a4765d920a87ea6beed0accc9616e40a1cbe536ac43a69e1b325814230295c61a10bafbb8a0e328e5

memory/1444-8-0x0000000000600000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zkxloggf.0.vb

MD5 5e84bc81b6cb0ea3c82b50878e7f037e
SHA1 3663c85172358e4515bbaa08ae79491dbe8b6fda
SHA256 a8f8fc142ed31869d85c70f07ae6fd8061bf02c7adc2c0e9fde4b74ca86061b5
SHA512 e65b5ae25a9def4a0c494c5c7c51531b8a2298b1d95ea6d6e8bc6828555d2c54a1e73e539fe989765d4c0ff76f3a7603cd6760981422f0594de58e7b88cd61ed

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 4f0e8cf79edb6cd381474b21cabfdf4a
SHA1 7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256 e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512 2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbcBA78FCC11B41415DA232AA7D56FE67F6.TMP

MD5 afcbff583f3c4861f2e0fec0f538a91c
SHA1 44c8b5de5545b7692b19b220d0f6ba551e66ec55
SHA256 b00ac1f1eede1f61a3b90f5dea4e58ff0c90ee00aca6bafa42923ec0772700f7
SHA512 c95f2ebb7c9013f372fbd5b3b56db36da6fe7bf5da462b3fcd1d4b2b3a2dca4065bc13761006d2e8167af18894749310eb61f920ee5d0a25fc0ae4a76880f412

C:\Users\Admin\AppData\Local\Temp\RES5091.tmp

MD5 4072f99c9593b6a7b3ed406b1b04a392
SHA1 710dbbcef0e662aad04f4e56949facbed9a713a4
SHA256 e4d359db7877e8d241030afa887e5ceb0ec8f5a8789ab2efa476ba6ecc8298fb
SHA512 3e46b82b6359ca82bba62649849a61620af6bed0f25dcf00de6342f6a9bd0baa10d4c905faa6c7be29d5f3cd4a9e91e22274f6ed261265152230777b32057ce2

C:\Users\Admin\AppData\Local\Temp\tmp4E5E.tmp.exe

MD5 fcda34e9d0600aff2c5a2d2ebe161d56
SHA1 bb34f184f79c5bd5d0ebdcab28859119b0be3fb9
SHA256 12ee5c4c08372986757aafe7f01a575de08a7aca4b82aee071884b5548ec7964
SHA512 1bacc5153e9e0ed8a1bd1a27c30c2a573c36b84f744b6bd3de97c3f7f47307e9fe00b3dc3b535a09497e79da006c9c5e9da66f0fcace6321e42b283b7432a40e

memory/1548-22-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/1548-23-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

memory/2380-21-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/1548-24-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/1548-26-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

memory/1548-27-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/1548-28-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

memory/1548-29-0x0000000000AB0000-0x0000000000AC0000-memory.dmp