Analysis Overview
SHA256
aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcb
Threat Level: Known bad
The file aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN was found to be: Known bad.
Malicious Activity Summary
Metamorpherrat family
MetamorpherRAT
Executes dropped EXE
Loads dropped DLL
Deletes itself
Uses the VBS compiler for execution
Checks computer location settings
Adds Run key to start application
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 05:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 05:39
Reported
2024-11-03 05:42
Platform
win7-20240903-en
Max time kernel
113s
Max time network
120s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe
"C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pmgejqoy.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC63.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC62.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/2080-0-0x0000000074381000-0x0000000074382000-memory.dmp
memory/2080-1-0x0000000074380000-0x000000007492B000-memory.dmp
memory/2080-2-0x0000000074380000-0x000000007492B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pmgejqoy.cmdline
| MD5 | 8c96ab3e5b57753d30b45f3facf73a40 |
| SHA1 | 90fd40285f73de37e3a482772544a96489d383d9 |
| SHA256 | c4c556d031813f373792fda056e5f5c4b055de005deac3a5585444360f3e6521 |
| SHA512 | b2fbdbaf377463c409ee05477361bf6646bf3d2141cfb18fd014fe30255baf565dabafd62fc0442184f025b4f14e200ca03fcd7f5c29bf033a1b27c831c533c3 |
memory/880-8-0x0000000074380000-0x000000007492B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pmgejqoy.0.vb
| MD5 | c8bd09400bea9bbf09934858a1713603 |
| SHA1 | a46ecaff57769962edbe740e6a94220e97c1efdf |
| SHA256 | 71b69b58928a49cc8bfab0a3df0d2692396c8ef3a25d815bd543e1c3c454ea80 |
| SHA512 | 9890013e284e8123a39217d68bd9f9e7ba5cf310dbe1f4c59ea3661996626f50b593ef9428cc822aead1eff23de94365d3d3ba2d1f8f862df0b5f1f489404d4e |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | a26b0f78faa3881bb6307a944b096e91 |
| SHA1 | 42b01830723bf07d14f3086fa83c4f74f5649368 |
| SHA256 | b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5 |
| SHA512 | a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c |
C:\Users\Admin\AppData\Local\Temp\RESEC63.tmp
| MD5 | 9d798a81b68e902246ad01a31a19c332 |
| SHA1 | d6115e9300946e2011127885a94fa0b1396b07a6 |
| SHA256 | 9b249f2df45d8449ffdb46f6ad4a52b75b3b4334c654e0a9c8b604688d695987 |
| SHA512 | 7935acab827dd0a3d419c2b67ee0184357d3cd86384b592e781d298b23b372577556a262ceaaf46573c556f07a0c31b10463e9e67b92bfb4fb9078b87c6ee463 |
C:\Users\Admin\AppData\Local\Temp\vbcEC62.tmp
| MD5 | 7ed6a9465744d9e8c4f9bb9cb3fd7c27 |
| SHA1 | 9122edad99ffd869f9afac9bdca5384d1a0ea168 |
| SHA256 | 1c6186362e22b98e6f93c0a5255dc69170f8142cc1ee580c499b04959e79acfb |
| SHA512 | cde973614afc981bf098a5bea7c4fb9e606eb3d9c8ddef34d649654c82828cb8055e373f15a66b8233ebcdee3b16657fdf91a02396deeb1d92630ee7f646f41d |
memory/880-18-0x0000000074380000-0x000000007492B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe
| MD5 | 469ce13bc64bc29d80646c9411f7411b |
| SHA1 | 60d84da65f7c31d1877d1b06cbb2da9e6963b576 |
| SHA256 | 4b6af575f53acbed28fb868c47cbc5487b91a8eb0e32500fec0e1350dafb1d00 |
| SHA512 | 64845ba76307f410502d7a7874a33fc8d1597b900b6f5e84bbf118914d4a3568acafc8b831ba49f8b21bd3f46cb2dc0fc7c5a55a907aa044008e8567f3161594 |
memory/2080-24-0x0000000074380000-0x000000007492B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 05:39
Reported
2024-11-03 05:42
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe
"C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\carfsgrf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB6B611DC8EE48228D388D5BA50505F.TMP"
C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| US | 8.8.8.8:53 | t5tmike.no-ip.info | udp |
Files
memory/2704-0-0x0000000074E82000-0x0000000074E83000-memory.dmp
memory/2704-1-0x0000000074E80000-0x0000000075431000-memory.dmp
memory/2704-2-0x0000000074E80000-0x0000000075431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\carfsgrf.cmdline
| MD5 | 2c863b727b645b3a52c793f7d63a7af5 |
| SHA1 | 6ad8797c0e313d147dc9dcfb8809ef57a1077100 |
| SHA256 | 7dd2d2058039e3ebede03f7e46f5cf8789c870a1ad6ab18cdb6f536d3aec1509 |
| SHA512 | e6ef0df6d298b953f2f50a83c07b963d976a32f7275add11a5d6b2b3161d68d5e57af7d22ae6aa855b512cfdb2e46458b734739e55f372c71eea93276012c115 |
C:\Users\Admin\AppData\Local\Temp\carfsgrf.0.vb
| MD5 | 730687c1a77de5779af72f8ad7c587bf |
| SHA1 | 781752c9abfef3a80d28a6f527c084ea2e8c267f |
| SHA256 | b3c12004688e2c9ef987e9769a8e3811e0ff1516c23202742e11c4ccf68b7e54 |
| SHA512 | 7a1d04c586c18815ce9ba876191e4f084c7a8ee3a3dfa602ee49773db0e1354f0fe7f9d2d9a93ec3e96238ad7d5ff8c6703bbab3527839daf3f5aea7d0a35730 |
memory/2596-9-0x0000000074E80000-0x0000000075431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | a26b0f78faa3881bb6307a944b096e91 |
| SHA1 | 42b01830723bf07d14f3086fa83c4f74f5649368 |
| SHA256 | b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5 |
| SHA512 | a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c |
C:\Users\Admin\AppData\Local\Temp\vbcCB6B611DC8EE48228D388D5BA50505F.TMP
| MD5 | 8edb0db0810e7db3b678904807e76f40 |
| SHA1 | 06901b718597fb0993672f9748a966a772f187b8 |
| SHA256 | 78ca6e48d5a2958935c623fcf65ccd20e0b3df47d1fc4e217070a26544d2efcd |
| SHA512 | 3be68dcf6684540cd961b9e3a6e216a089b1724a1110212b5202121a0bda67ae7f9628520a5990ea762f92fa806b00efafe94f255ba6666fcbc4a67e33737c88 |
C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp
| MD5 | 22120b5dda646ef7227bafa4e1ef77f0 |
| SHA1 | 6addeb586ddbaf26ca89f7a1ce6360ee34a1b276 |
| SHA256 | 030ef7ebb4af09653e9939a863c36d68f634c74bd3f39b006aa71540a33b8212 |
| SHA512 | aeb42f8fd9104ca91a59cc4d07caad2e40adf90ea9cec0e2de51a4778b371c31af63663783a351930a293557e26f962c86d23e5855611dcafae8ed0522caa33f |
memory/2596-18-0x0000000074E80000-0x0000000075431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe
| MD5 | 59d4bd83693455552fa6ebf736e49bf1 |
| SHA1 | d2056c3e399f8b72a61d4230b3804e4c893158f9 |
| SHA256 | c2245ab70b034e598482d53bc9b45bb76766e5e60f192dc306e1806133870f94 |
| SHA512 | e14fedfba9be289331244e22d2ec6129a96b1a024ef366892c37455275033a787d352141ead2940b99e98595002bac48468fbfb4e0e5ba00da70ee946d1e422e |
memory/2704-22-0x0000000074E80000-0x0000000075431000-memory.dmp
memory/3252-23-0x0000000074E80000-0x0000000075431000-memory.dmp
memory/3252-24-0x0000000074E80000-0x0000000075431000-memory.dmp
memory/3252-25-0x0000000074E80000-0x0000000075431000-memory.dmp
memory/3252-26-0x0000000074E80000-0x0000000075431000-memory.dmp
memory/3252-27-0x0000000074E80000-0x0000000075431000-memory.dmp