Malware Analysis Report

2024-09-11 10:24

Sample ID 240724-ddn5dsthqq
Target c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8
SHA256 c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8

Threat Level: Known bad

The file c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-24 02:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 02:53

Reported

2024-07-24 02:56

Platform

win7-20240705-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2204 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2204 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2204 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1848 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1848 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1848 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1848 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2204 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe
PID 2204 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe
PID 2204 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe
PID 2204 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v2zcsinn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC43A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC439.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2204-0-0x00000000747A1000-0x00000000747A2000-memory.dmp

memory/2204-1-0x00000000747A0000-0x0000000074D4B000-memory.dmp

memory/2204-2-0x00000000747A0000-0x0000000074D4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v2zcsinn.cmdline

MD5 4eee9b49e5ad80448b8cedc6c186abfd
SHA1 99484596aae47b36a3f8531f17e6fa65cc24dcf8
SHA256 e94b67c4db6fc9abcafd41b43eea03ce896189b1ea562a85562542eb8246a6c1
SHA512 235d6e96d3a1a34d8a225951360f6aa7cbf4b18a67ae5bc62603dfb2de072eb711656d68a9e8b8a3b85e49aa68be395243ee8fe282ea06936dbf0aec544ad031

C:\Users\Admin\AppData\Local\Temp\v2zcsinn.0.vb

MD5 5a7af21eb3ff3384c9f0fce2f09d3d47
SHA1 50919fffaba5c6715f650dd692b870067cdd518f
SHA256 6b6cf73ecf499c57263752ec5569abf887be9c76dace6aca8ada2c85ae091d68
SHA512 f17695eaaf86400a0527296b2d9538593d81214b4c2029e5957851dbdb79cc65f784b03dad8d721d1a4893e59194c01eb4f37ecdbc5aca2ba683a8ab996c97a7

memory/1848-9-0x00000000747A0000-0x0000000074D4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcC439.tmp

MD5 ab2170ed32c17735f09be0be220f40c5
SHA1 2638d57cbbe5fee970ecc0a9aae5db5edd5c937d
SHA256 c76b7e35865ed9f237b9ba106309abef2b39b4aa9ba43c788c577bf452353d3a
SHA512 86df735cbd2ba19ef6e21a34e12013c51ed0705506992e6af550dd52ce8dd7fe3ad22c0e375639fd15c2d29ed7c1c0b208c602c2cb6da38a607ab69dc1b6a1ea

C:\Users\Admin\AppData\Local\Temp\RESC43A.tmp

MD5 b2f8677424c347d7d36e93b49d0905ae
SHA1 ae153d7d4417c2c544eb91693fe7ff047d420e5f
SHA256 2a7552a29f23cabd0815838618242da1484b0cf836846ec56a6e10011d87e54b
SHA512 a7fbbf5791e2cb073960f6532af095c0f09bc53d22ef37fac7f6e44df6b46eba86bd589e6db262ca6abe9f9c91abc5674b1c8400739a60313288e1a8ce3d1dbc

memory/1848-18-0x00000000747A0000-0x0000000074D4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC3BC.tmp.exe

MD5 d4402aa85ca76e3ea2c1cfe916f45d22
SHA1 51a480417a6a7f3bc47503b2de937997878cde2d
SHA256 d612cd6b7cc4d8ffa3935c8d481de2b790a0180f47622a429f3b0f58215435c6
SHA512 7ed3568bb60d32873e36b3d62b2b1e797c88eb97e71300805264d2e1fd332a9c3daf2715610886cab5997be5c019eb9d217158ba663e6a3baab1fbd2816b492b

memory/2204-24-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 02:53

Reported

2024-07-24 02:56

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC331.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpC331.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpC331.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpC331.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3424 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3424 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3424 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3932 wrote to memory of 4528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3932 wrote to memory of 4528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3932 wrote to memory of 4528 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3424 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe C:\Users\Admin\AppData\Local\Temp\tmpC331.tmp.exe
PID 3424 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe C:\Users\Admin\AppData\Local\Temp\tmpC331.tmp.exe
PID 3424 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe C:\Users\Admin\AppData\Local\Temp\tmpC331.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe

"C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6x8pwur2.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC563.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D187814BC44BB9B07773660AD130.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpC331.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC331.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c6a1f184673ca5feb2736b3118bcb6ca6ae8df6b8600abb6579df0fca83bdfb8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 44.221.84.105:80 bejnz.com tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp

Files

memory/3424-0-0x0000000074C52000-0x0000000074C53000-memory.dmp

memory/3424-1-0x0000000074C50000-0x0000000075201000-memory.dmp

memory/3424-2-0x0000000074C50000-0x0000000075201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6x8pwur2.cmdline

MD5 50ad980528be442529f34753eaf960e3
SHA1 0111e72a560475e85afad57e95bd9807703ca822
SHA256 ef2f767881883ff1da6fe0ca52b0b6df3643f62475ff0bc9b2876ecd160e017a
SHA512 ff10c5c1ba55543d2873d03ed016f1e9b0400dd87e5c1cf799e55f03638aa7a0a735fc62464f07d16293815fc29edf0a9adaf2898276dfb36c088bf437a14ee1

memory/3932-8-0x0000000074C50000-0x0000000075201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6x8pwur2.0.vb

MD5 d558b3e6bdaaf03ba432224c64ef5b01
SHA1 6f1a8efc504f5519eb48c45c053e484b0912221d
SHA256 9ea663ba1a68b6137cc60932886b7f7ff1c3b4830b8e2609647a54517f4440c1
SHA512 6fd2be0347ed288a8f062342073644cb8d81e787ba122acc1619a05329d00adab47cca6c487642fd302f92b00d10723ffc609a6de0978c815eedf1b4b1413d53

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc6D187814BC44BB9B07773660AD130.TMP

MD5 c3b3c2e0048976aba40eac6271f08153
SHA1 870553c91500345124db58e7a4f3a6b7a1241791
SHA256 7be3a44c374b6397882283c551ed296f6a3e99aa8db79852a3354e92a743ac45
SHA512 494737a96d074383c723411b4327f360b793cb6dcac9461f359f2f6d04f9f4eb561687caf8f64ddd933986591eb8d422ebc1411feeb25e83a21bf08ab7f9158e

C:\Users\Admin\AppData\Local\Temp\RESC563.tmp

MD5 ba0dfa7922abdd4a809704bcc6b38953
SHA1 8606b20d8e6efa1cbd50b45e441c4fb75f4ad151
SHA256 93f4c475dc0227bb2bd6bd24827ea1da66ac1511ae96dcb883f5bb621b5189ec
SHA512 3a1847c6362f9b91ee4dc19ae293f1ff9c3f0b1fdb5d3ec5c88dfaf5a684950e6e8d5dfc32461d571af842885bae919b0200419ce3db255037ea2843ee82ca01

memory/3932-18-0x0000000074C50000-0x0000000075201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC331.tmp.exe

MD5 ad2331d153d49a8328bfa69e6095bf9b
SHA1 82008a2f983b095df6794354261b7e916f51d64f
SHA256 9d3ff976dd7cec7b5784ccc43fb7176ddb46555ccb181976dad206793e1c7dfd
SHA512 00d59876bd46915782924a20ee77e86fe6802bfa283702bfa1c25c141c806b717a294dced7b87cec3f0e91795a17f44cb16d3c9e155927d6cf4aeedd4e12cb52

memory/3424-22-0x0000000074C50000-0x0000000075201000-memory.dmp

memory/212-23-0x0000000074C50000-0x0000000075201000-memory.dmp

memory/212-24-0x0000000074C50000-0x0000000075201000-memory.dmp

memory/212-25-0x0000000074C50000-0x0000000075201000-memory.dmp

memory/212-26-0x0000000074C50000-0x0000000075201000-memory.dmp

memory/212-27-0x0000000074C50000-0x0000000075201000-memory.dmp