Malware Analysis Report

2024-09-11 10:23

Sample ID 240725-gvmvfaserm
Target 875aa8aeeb28f3646c22208934098420N.exe
SHA256 da8bcbbbf398154b18c1f9d8a4c2799af67aff835ee82c8f65365376d236b74c
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da8bcbbbf398154b18c1f9d8a4c2799af67aff835ee82c8f65365376d236b74c

Threat Level: Known bad

The file 875aa8aeeb28f3646c22208934098420N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Checks computer location settings

Uses the VBS compiler for execution

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-25 06:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 06:07

Reported

2024-07-25 06:10

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4632 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4632 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4632 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2456 wrote to memory of 2228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2456 wrote to memory of 2228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2456 wrote to memory of 2228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4632 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exe
PID 4632 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exe
PID 4632 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe

"C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uobhuyvl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc251E96B36A474761B81AEA78C4A734A.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 tcp

Files

memory/4632-0-0x0000000074C62000-0x0000000074C63000-memory.dmp

memory/4632-1-0x0000000074C60000-0x0000000075211000-memory.dmp

memory/4632-2-0x0000000074C60000-0x0000000075211000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uobhuyvl.cmdline

MD5 8b5eeb1cdf5b4cce747b7ee47d6f192a
SHA1 6940ae5e5f5c46cd2b7ac7fb4c1c02cc4d57e9ee
SHA256 068353ee77d78078b7a26448df7be1d6eaba1e8818e40a13bbfdcf8a5a926d8d
SHA512 f3d538c97c87aa48853ee66632063c79040722f94f08daaf30d0bc0ac076d03674bf42cd71c97a530ac81a8e52ae2de0e63ba4f8ba1e038066a6b4948cf98fbc

C:\Users\Admin\AppData\Local\Temp\uobhuyvl.0.vb

MD5 7aefd80ae67a6654cfc81aec95b89bfd
SHA1 7905015f47aca81cd268fea2586ce8f6c9db3755
SHA256 ef7025caa044c483c7c034f0d3291486ab3f56417b670609b250e1b4b851939c
SHA512 46ee1d9c198d1aea07f760670ccd7e9767af1fef367e214aca93fe96a75a52f5b9cd1e8a9b64143720b6ded7b14f5f4b9487b91af989f942d40f6cb4d12be763

memory/2456-9-0x0000000074C60000-0x0000000075211000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc251E96B36A474761B81AEA78C4A734A.TMP

MD5 eca07a75b2ef93d5e32a656d0f573db2
SHA1 ec22e3bcff4b85928f2d1b5cd2c05ef304a7170d
SHA256 d977b636abc1ec8c3a3fa19786ad0733e51e80222254bc4eda893953b594dd40
SHA512 fe980821fd68fe0833078da1478bffb7bc4af2e56c2204fb6a9101905eea3a7fdf9d44e7948af13b0804a035617fa39be3b1fd69c8904cace121d5060168cb80

C:\Users\Admin\AppData\Local\Temp\RESA0A5.tmp

MD5 174c94e34bf0041b7f2a5ab532078791
SHA1 22e3946748ed58461ab9407c0b91aaab8e1bc0d6
SHA256 316e25f054188b167af7876102edab82a6fc8824f5c2ba830382ec4cb8ac60b8
SHA512 2df292258413b17d5a8fa96e90cb3af0339038da9c328a08a46f038ca07449c38bc1fb80b80c72139bfcdd80a9fd483947c982bd25b6054b6a982fdb54018801

memory/2456-18-0x0000000074C60000-0x0000000075211000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exe

MD5 4e06db424331cd41293feed531d8e553
SHA1 a1daf139e034966324ac5999e0e8937af5c2e208
SHA256 b6d8ac59ccdfadf6e6bf7fccad47578799dccf69bb23ed66c6fffaf44ace50a6
SHA512 9940f81708ee6d54c5a5fcd21ebae29e166d106d62f407ec67a90bf2c7fe82c06b9817af98f8d96217f3f43d664ba14328dfc2ed815e6dcd40293888481d01c9

memory/4632-22-0x0000000074C60000-0x0000000075211000-memory.dmp

memory/3996-23-0x0000000074C60000-0x0000000075211000-memory.dmp

memory/3996-24-0x0000000074C60000-0x0000000075211000-memory.dmp

memory/3996-25-0x0000000074C60000-0x0000000075211000-memory.dmp

memory/3996-26-0x0000000074C60000-0x0000000075211000-memory.dmp

memory/3996-27-0x0000000074C60000-0x0000000075211000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 06:07

Reported

2024-07-25 06:09

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2416 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2416 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2416 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2364 wrote to memory of 2412 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2364 wrote to memory of 2412 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2364 wrote to memory of 2412 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2364 wrote to memory of 2412 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2416 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.exe
PID 2416 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.exe
PID 2416 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.exe
PID 2416 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe

"C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qbo7cyly.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA13.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.exe" C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2416-0-0x00000000744B1000-0x00000000744B2000-memory.dmp

memory/2416-1-0x00000000744B0000-0x0000000074A5B000-memory.dmp

memory/2416-2-0x00000000744B0000-0x0000000074A5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qbo7cyly.cmdline

MD5 cf5e45ba445be123b119c98603a3f563
SHA1 005dc997106043f1a38cbf7ac7b9a1b0c67fee86
SHA256 def420c9a33c840cbaa248f6a384121f80bdd83eaf500cf01679e23082d78778
SHA512 c88817285ca1a0836ce219c5cb32f268b33c1a171a52540e3bf4546cb9264aab17247e4e164892f7d5bb7cd13c29a572354b2f2a4fedb9a59a7061655c6ca4ea

C:\Users\Admin\AppData\Local\Temp\qbo7cyly.0.vb

MD5 bb71640497a5a797c9ed55ab810994bd
SHA1 a94be960969b74a197a3bcf40a6a5eba36326f4b
SHA256 9a3551f2ca9644b7e3b5f8c5a758ac7145db086bac9eeb1cfd99cb5a633f21dd
SHA512 97fd73cab96a2c1f34bbb090a3fc4a6bc6160ef6adc8ee3777737030321c06edae1d2156f408f4057e6bc41084430029c403e7a634617e633202710ba2e8658a

memory/2364-9-0x00000000744B0000-0x0000000074A5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcCA13.tmp

MD5 f899797b0b089ee3b8fdbe4ce7fcf062
SHA1 1c268397419d8fbda02e1532a1ab19c2f9cbcbdf
SHA256 9d3aa4dbdbaa6adb4eecb7858e5a733458b8d3bab71e2f0d33b16a5170c21fe6
SHA512 7533426ee4f5b0ca90e5c7adef24a3347a946d02a9a5087ff6746888cd2817c889f5295e084b3f2a10fb677bd2b839463c3a01aff8bab4225acd44da6af9c4e1

C:\Users\Admin\AppData\Local\Temp\RESCA23.tmp

MD5 ee9bb4fc99c4cceeb4e6c6d331385a14
SHA1 70a1f4737aaa1838be7c3911924ee65e2f4058a1
SHA256 b2d5d8aef1ccc2c7486282c1299d26d728b1a5ee9279af445d2f8f807018c52f
SHA512 cab6e24bbeecedc597902519ae5519454f3d14587ef480240a5ab528dfdb79e0b61f51a09af946b8a290f685e03adf878202f225f35160c67abd83b4706a82b3

memory/2364-18-0x00000000744B0000-0x0000000074A5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.exe

MD5 f7b413dc85ee2dd14d2ea1c593d90ae6
SHA1 37a89a56b204dfe4c290dc7b4a311553dcfa31ec
SHA256 9c1ead7fd8754c561794345e89e50168cf5630dee933f84862351a176e224071
SHA512 a5d478d365ff1fbbc54bdda5dce0593ba83f936495b3a52643a53e77eb67c46074b8ad612e984277bfe3fccd8fd71eeaed9ba7f6715a1c203c18ed3c29a7b838

memory/2416-23-0x00000000744B0000-0x0000000074A5B000-memory.dmp