Malware Analysis Report

2024-09-11 10:23

Sample ID 240724-fb2nta1hpg
Target f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467
SHA256 f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467

Threat Level: Known bad

The file f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-24 04:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 04:42

Reported

2024-07-24 04:45

Platform

win7-20240708-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp84F8.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp84F8.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp84F8.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp84F8.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2292 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2292 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2292 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2028 wrote to memory of 2420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2028 wrote to memory of 2420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2028 wrote to memory of 2420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2028 wrote to memory of 2420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2292 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe C:\Users\Admin\AppData\Local\Temp\tmp84F8.tmp.exe
PID 2292 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe C:\Users\Admin\AppData\Local\Temp\tmp84F8.tmp.exe
PID 2292 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe C:\Users\Admin\AppData\Local\Temp\tmp84F8.tmp.exe
PID 2292 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe C:\Users\Admin\AppData\Local\Temp\tmp84F8.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe

"C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e0qqtwzi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc85C3.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp84F8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp84F8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2292-0-0x00000000745A1000-0x00000000745A2000-memory.dmp

memory/2292-1-0x00000000745A0000-0x0000000074B4B000-memory.dmp

memory/2292-2-0x00000000745A0000-0x0000000074B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e0qqtwzi.cmdline

MD5 9555af1825a65d10df262dcca1031a09
SHA1 55f25e84e2124cdcc0f08d40eea43f19f2c32b40
SHA256 6cb7b7b16cab2470783dab32c437a31769a9c007a51a02f1825ea95e88d5448b
SHA512 e0f57341505ae619af16fe8fac820721b43830dd1436e4e63e23c9fb2d798149930646dee14b737b40beb803b672d71e54afae007de17412f6080e169d2e849e

C:\Users\Admin\AppData\Local\Temp\e0qqtwzi.0.vb

MD5 1ca3476e4efc13f7b53965797e787524
SHA1 538326ed3a32f4565e020a8d76e15c66694e9dc4
SHA256 0f7302d1cae82915188c062d6e1df39fa43706d9ba2bd8bc1aec48d55424bcda
SHA512 e9c54f32c1f21e6ead0a8a896c964565730ee7602ae10f58540a91e1100293ebe415eb84eeefb88cba325f5a5109f555ff418d65537c208dc55c8309fffc0329

memory/2028-9-0x00000000745A0000-0x0000000074B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc85C3.tmp

MD5 e5d126c748adde3523500e4b57f180a0
SHA1 692e4f03d10fa0ba6a9b900b5e1c57b6ec50939a
SHA256 5cee9f1b73fa5797690d30f448c2be6548e8234caddfa438d94e2058034db8ad
SHA512 b3cca473edc8cc0e8b225a6c4a9b3d0386228a6aba3696d1d6c9d0d894e28233989eba3641c41e2b1d00d906f64fe2e9631aee01b8da665afb10b22da514d37f

C:\Users\Admin\AppData\Local\Temp\RES85C4.tmp

MD5 43ad80d9fa151dc5c45670292716a978
SHA1 cabf1471edccc46896718f56aa98d57a25b05afd
SHA256 76cc545b92eaf377091783fd3e1ee6afd86ca7709101c5bd3cdf76a993667394
SHA512 00e4d125ebbad6d0fddd18c595ec3b0df6eb388f29606a7426f548571d06a605e0833ca57627e96b48104fbefd570afa14512c27eaa32a6e132109b0fcf7fec3

memory/2028-18-0x00000000745A0000-0x0000000074B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp84F8.tmp.exe

MD5 d8a6b140ac58b9bf47b426128ad86b88
SHA1 c7dd924e95ebc1e416028e9531e8ff635ab39df8
SHA256 f261740d7aae03c4d7e6a8689ac2e65ff2c035cbdef3988d7acd37b1af02fe58
SHA512 880168cf2e47ae75b352a4f860c26bfe4861c1d942aea3a93c4c7c6af03189e50f72b3225646b6fdae13f9b93861d54853b34b604e6ca54d84468c5958466bbe

memory/2292-24-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 04:42

Reported

2024-07-24 04:45

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8D5B.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp8D5B.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8D5B.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8D5B.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1580 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1580 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4252 wrote to memory of 1880 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4252 wrote to memory of 1880 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4252 wrote to memory of 1880 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1580 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe C:\Users\Admin\AppData\Local\Temp\tmp8D5B.tmp.exe
PID 1580 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe C:\Users\Admin\AppData\Local\Temp\tmp8D5B.tmp.exe
PID 1580 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe C:\Users\Admin\AppData\Local\Temp\tmp8D5B.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe

"C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0ciqc03k.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F8E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA29D574DBEE84BB3ABA983074B42D6A.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp8D5B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8D5B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f0f57f7c66154b69866d3418cc00a3ce24379c20c814ee88a16dc2cc3568e467.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1580-0-0x0000000074FC2000-0x0000000074FC3000-memory.dmp

memory/1580-1-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/1580-2-0x0000000074FC0000-0x0000000075571000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0ciqc03k.cmdline

MD5 f318e231ded29ebf7ef81807f0bbb1b2
SHA1 7efcf99e35481a33ef0c020fe651532af0d4f34f
SHA256 479d30047c4e92e825145226bbd2c4c062bbe57d435ce52cd353a205830db81b
SHA512 c737fd81bc7c295c4d0adac2882735f920499a0869428270f011a47ddd4bd6422bf250938a1a6eda3dc504ca40cdc2013da624459955cef87bfaf049a521224c

C:\Users\Admin\AppData\Local\Temp\0ciqc03k.0.vb

MD5 55036c8387a7858a769962da2f10c9e4
SHA1 d086f2ec9d010a339da8ae8fecd27b3bed9bd895
SHA256 70af606213f22298708afe2a95bb6a0a068f0f084b07501be1a7610f989d9cb1
SHA512 aaf38c7a9526630d0ef47a1b3fdd64ef4f827debe1d9670ebe3cee9191f444bdeea7c2f3e11634538bca115a0c86935cac85fb51c811529642f37f2e09c0ce2b

memory/4252-9-0x0000000074FC0000-0x0000000075571000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\RES8F8E.tmp

MD5 fcf269c570fa2fee3533bf8d7d6816da
SHA1 a9a5c1c4ad42e0e3a687963f345cc42082a15298
SHA256 9b736b5e747414d5bca2d1594f4e94b89cf6b9f490537ff5b893377d2db441a4
SHA512 eb4922be5538fe89087f2bb266e384f57755a3a014dcdd3a918bd2513eb0a801ddd192825fb8dc9909827df51f6730bb9a39b04ae983a0ce2b526d77bff1b786

C:\Users\Admin\AppData\Local\Temp\vbcA29D574DBEE84BB3ABA983074B42D6A.TMP

MD5 6272107cb5ee6d747199e9f936509694
SHA1 ad5d515cda5b486b02203d42fa4b6a9bda02189e
SHA256 8dd7c8a48d4ee47a4b600a5c1d43cbfc7f2e4412bf545d0e9c8f2442d54cbe80
SHA512 737a4d12cdf411ec6f36cd8bb373209c6e5dd3073c45b617d8c8676171f44e796c0022de97727a54d28c0c4d5551bce264e11fb398b8e78509ed70ac63f00410

memory/4252-18-0x0000000074FC0000-0x0000000075571000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8D5B.tmp.exe

MD5 693cbad9ebed55b98bb89e79aa22ddfb
SHA1 d084f17bb863c786a79084b4d7cff719e008955b
SHA256 593e03c8dfacd9aa4a3ecb1072c12575eb66ec0284f5b2752e70537655f2c224
SHA512 d512df8572960bd99949ecf14af34a83f28a04215696016e565000fcd69a2cd227870c563f88082129b4e3a41386e30474f8ede3a8248e852ed56ce30463e902

memory/416-22-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/1580-24-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/416-25-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/416-23-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/416-27-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/416-28-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/416-29-0x0000000074FC0000-0x0000000075571000-memory.dmp