Malware Analysis Report

2024-11-16 13:12

Sample ID 241103-gcsb7swgrr
Target aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN
SHA256 aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcb
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcb

Threat Level: Known bad

The file aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

Metamorpherrat family

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Deletes itself

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 05:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 05:39

Reported

2024-11-03 05:42

Platform

win7-20240903-en

Max time kernel

113s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2080 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2080 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2080 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 880 wrote to memory of 2896 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 880 wrote to memory of 2896 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 880 wrote to memory of 2896 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 880 wrote to memory of 2896 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2080 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe
PID 2080 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe
PID 2080 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe
PID 2080 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe

"C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pmgejqoy.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC63.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC62.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2080-0-0x0000000074381000-0x0000000074382000-memory.dmp

memory/2080-1-0x0000000074380000-0x000000007492B000-memory.dmp

memory/2080-2-0x0000000074380000-0x000000007492B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pmgejqoy.cmdline

MD5 8c96ab3e5b57753d30b45f3facf73a40
SHA1 90fd40285f73de37e3a482772544a96489d383d9
SHA256 c4c556d031813f373792fda056e5f5c4b055de005deac3a5585444360f3e6521
SHA512 b2fbdbaf377463c409ee05477361bf6646bf3d2141cfb18fd014fe30255baf565dabafd62fc0442184f025b4f14e200ca03fcd7f5c29bf033a1b27c831c533c3

memory/880-8-0x0000000074380000-0x000000007492B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pmgejqoy.0.vb

MD5 c8bd09400bea9bbf09934858a1713603
SHA1 a46ecaff57769962edbe740e6a94220e97c1efdf
SHA256 71b69b58928a49cc8bfab0a3df0d2692396c8ef3a25d815bd543e1c3c454ea80
SHA512 9890013e284e8123a39217d68bd9f9e7ba5cf310dbe1f4c59ea3661996626f50b593ef9428cc822aead1eff23de94365d3d3ba2d1f8f862df0b5f1f489404d4e

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\RESEC63.tmp

MD5 9d798a81b68e902246ad01a31a19c332
SHA1 d6115e9300946e2011127885a94fa0b1396b07a6
SHA256 9b249f2df45d8449ffdb46f6ad4a52b75b3b4334c654e0a9c8b604688d695987
SHA512 7935acab827dd0a3d419c2b67ee0184357d3cd86384b592e781d298b23b372577556a262ceaaf46573c556f07a0c31b10463e9e67b92bfb4fb9078b87c6ee463

C:\Users\Admin\AppData\Local\Temp\vbcEC62.tmp

MD5 7ed6a9465744d9e8c4f9bb9cb3fd7c27
SHA1 9122edad99ffd869f9afac9bdca5384d1a0ea168
SHA256 1c6186362e22b98e6f93c0a5255dc69170f8142cc1ee580c499b04959e79acfb
SHA512 cde973614afc981bf098a5bea7c4fb9e606eb3d9c8ddef34d649654c82828cb8055e373f15a66b8233ebcdee3b16657fdf91a02396deeb1d92630ee7f646f41d

memory/880-18-0x0000000074380000-0x000000007492B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEB78.tmp.exe

MD5 469ce13bc64bc29d80646c9411f7411b
SHA1 60d84da65f7c31d1877d1b06cbb2da9e6963b576
SHA256 4b6af575f53acbed28fb868c47cbc5487b91a8eb0e32500fec0e1350dafb1d00
SHA512 64845ba76307f410502d7a7874a33fc8d1597b900b6f5e84bbf118914d4a3568acafc8b831ba49f8b21bd3f46cb2dc0fc7c5a55a907aa044008e8567f3161594

memory/2080-24-0x0000000074380000-0x000000007492B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 05:39

Reported

2024-11-03 05:42

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2704 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2704 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2596 wrote to memory of 3740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2596 wrote to memory of 3740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2596 wrote to memory of 3740 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2704 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe
PID 2704 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe
PID 2704 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe

"C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\carfsgrf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB6B611DC8EE48228D388D5BA50505F.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aeec66d44ae69cc6b06274fd1a68b39167d6af0edfadaf2917bef49fb3730bcbN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp

Files

memory/2704-0-0x0000000074E82000-0x0000000074E83000-memory.dmp

memory/2704-1-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/2704-2-0x0000000074E80000-0x0000000075431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\carfsgrf.cmdline

MD5 2c863b727b645b3a52c793f7d63a7af5
SHA1 6ad8797c0e313d147dc9dcfb8809ef57a1077100
SHA256 7dd2d2058039e3ebede03f7e46f5cf8789c870a1ad6ab18cdb6f536d3aec1509
SHA512 e6ef0df6d298b953f2f50a83c07b963d976a32f7275add11a5d6b2b3161d68d5e57af7d22ae6aa855b512cfdb2e46458b734739e55f372c71eea93276012c115

C:\Users\Admin\AppData\Local\Temp\carfsgrf.0.vb

MD5 730687c1a77de5779af72f8ad7c587bf
SHA1 781752c9abfef3a80d28a6f527c084ea2e8c267f
SHA256 b3c12004688e2c9ef987e9769a8e3811e0ff1516c23202742e11c4ccf68b7e54
SHA512 7a1d04c586c18815ce9ba876191e4f084c7a8ee3a3dfa602ee49773db0e1354f0fe7f9d2d9a93ec3e96238ad7d5ff8c6703bbab3527839daf3f5aea7d0a35730

memory/2596-9-0x0000000074E80000-0x0000000075431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcCB6B611DC8EE48228D388D5BA50505F.TMP

MD5 8edb0db0810e7db3b678904807e76f40
SHA1 06901b718597fb0993672f9748a966a772f187b8
SHA256 78ca6e48d5a2958935c623fcf65ccd20e0b3df47d1fc4e217070a26544d2efcd
SHA512 3be68dcf6684540cd961b9e3a6e216a089b1724a1110212b5202121a0bda67ae7f9628520a5990ea762f92fa806b00efafe94f255ba6666fcbc4a67e33737c88

C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp

MD5 22120b5dda646ef7227bafa4e1ef77f0
SHA1 6addeb586ddbaf26ca89f7a1ce6360ee34a1b276
SHA256 030ef7ebb4af09653e9939a863c36d68f634c74bd3f39b006aa71540a33b8212
SHA512 aeb42f8fd9104ca91a59cc4d07caad2e40adf90ea9cec0e2de51a4778b371c31af63663783a351930a293557e26f962c86d23e5855611dcafae8ed0522caa33f

memory/2596-18-0x0000000074E80000-0x0000000075431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp96C2.tmp.exe

MD5 59d4bd83693455552fa6ebf736e49bf1
SHA1 d2056c3e399f8b72a61d4230b3804e4c893158f9
SHA256 c2245ab70b034e598482d53bc9b45bb76766e5e60f192dc306e1806133870f94
SHA512 e14fedfba9be289331244e22d2ec6129a96b1a024ef366892c37455275033a787d352141ead2940b99e98595002bac48468fbfb4e0e5ba00da70ee946d1e422e

memory/2704-22-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/3252-23-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/3252-24-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/3252-25-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/3252-26-0x0000000074E80000-0x0000000075431000-memory.dmp

memory/3252-27-0x0000000074E80000-0x0000000075431000-memory.dmp