Malware Analysis Report

2024-09-11 10:23

Sample ID 240725-x4d7nazbjm
Target 1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7
SHA256 1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7

Threat Level: Known bad

The file 1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Deletes itself

Uses the VBS compiler for execution

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-25 19:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 19:24

Reported

2024-07-25 19:26

Platform

win7-20240708-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3024 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3024 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3024 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2204 wrote to memory of 2768 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2204 wrote to memory of 2768 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2204 wrote to memory of 2768 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2204 wrote to memory of 2768 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3024 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp.exe
PID 3024 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp.exe
PID 3024 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp.exe
PID 3024 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe

"C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iq4iedbq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD6BF.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 tcp
N/A 127.0.0.1:127 tcp

Files

memory/3024-0-0x0000000074911000-0x0000000074912000-memory.dmp

memory/3024-1-0x0000000074910000-0x0000000074EBB000-memory.dmp

memory/3024-2-0x0000000074910000-0x0000000074EBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iq4iedbq.cmdline

MD5 c7b14cbdc137f2ca8e78c7ba0c47e831
SHA1 821bbd961297363fbfde06fed2cbf54a559e9fab
SHA256 478464f320964a496de0a8b1bc8f89127827dade6bd91abb7d958c8fa661df05
SHA512 262349f2d5988885bb3ee4df19bdae0fda4431a740fabde468c86b6b6a351ef1393699d2d503377c2fbbb341534de849365bb88515986a53bb3dc57761cda223

C:\Users\Admin\AppData\Local\Temp\iq4iedbq.0.vb

MD5 ec884eb5d359a412cf7f2300b205ee86
SHA1 20650b9d4e26f57fe2c465dfbc180fa488cbff3d
SHA256 09ae7477387beb5da0c3d38b93af73ca3da83fa157054ed605d1895602a76ab7
SHA512 fcef6bcc2924abe683408682986fd470a8f06d1094f0365b92d9dc74f6d2cd290d08dff655ed456e9d02d9da06acd8604e5ebb3609d62968272253bfc0cb8123

memory/2204-9-0x0000000074910000-0x0000000074EBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8b25b4d931908b4c77ce6c3d5b9a2910
SHA1 88b65fd9733484c8f8147dad9d0896918c7e37c7
SHA256 79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA512 6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

C:\Users\Admin\AppData\Local\Temp\vbcD6BF.tmp

MD5 66fd8491f7eb0f3ee011764d9afec647
SHA1 1ab51a1b44b4f58925472e9f908b1573c9a5cb9b
SHA256 a055f18a5aadc78c7ada03be29b62e1e693fdec3d042f72c9e15ac0eca37d326
SHA512 8aa913868e593ef1c4d7f884d40c845685fb8a506d7dcec88b804043850b409206add30186177206890770c7f41258dcb47708a0dcc98b7fb5b6959730965b67

C:\Users\Admin\AppData\Local\Temp\RESD6C0.tmp

MD5 19cf387d75844fc5a1688d066feb9482
SHA1 971287a5bb09054d419c626c3f4557ff84a39b5c
SHA256 59dafd54c5c1a50790d391d38d09d8e5990a6cdb14603b3dd29c93e413be5502
SHA512 ff1417e06c05034bfb3111726c83f9bf2e10bad7a2ad6cda0c8b0f33039f6d1b61d60cecb6a20c29aab0139e94a1f70427452ae39108d3c7136045e3cc79d0e1

memory/2204-18-0x0000000074910000-0x0000000074EBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD604.tmp.exe

MD5 eb8f980e87dd9445af4ef1651e1cff9b
SHA1 95edcc800ef823e31fadf3ab96c02b7b2a36102e
SHA256 ec6e3fe546f4fbaf5f2d8e5ac5f028ae2b23f686a5db510bcd26c42214003797
SHA512 6848fbbe37ea84693d895225fca8e2177baac80213f803ee8de3e05b9867c6c3d897ba8d31bc5b1fe8b2432e940bae99a5baab5d4a00f69b27e18290f432f750

memory/3024-24-0x0000000074910000-0x0000000074EBB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 19:24

Reported

2024-07-25 19:26

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1168 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1168 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1168 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4364 wrote to memory of 3704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 3704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 3704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1168 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe
PID 1168 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe
PID 1168 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe

"C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w7euzobh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FEE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C7A3A0D77664D1BA355C993996DE6AA.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1e9bca2611f164a0afb4b2810db4ff55bfab4f1dcc790e258ce587c286861ee7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 52.111.227.14:443 tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp
US 44.221.84.105:80 bejnz.com tcp
N/A 127.0.0.1:127 tcp

Files

memory/1168-0-0x0000000074D42000-0x0000000074D43000-memory.dmp

memory/1168-1-0x0000000074D40000-0x00000000752F1000-memory.dmp

memory/1168-2-0x0000000074D40000-0x00000000752F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\w7euzobh.cmdline

MD5 9a583fdf7eeefa6976fe1c1be0fa4091
SHA1 2b587443a494ecf27a4496141a3f00e9a1f16531
SHA256 1192509295682b5afc875667439acf66b300677e1b2ca8efc5f78b4c616f34e6
SHA512 f259619edd7f6c621a9a0e72bb466bb11fc2687a3c33dfb6c6f637b3c2c519ab4c1880653f68d77e3c6cbf0ccbb07aef9a9551b89b7bcd19c509c0a5071b60e1

memory/4364-9-0x0000000074D40000-0x00000000752F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\w7euzobh.0.vb

MD5 5312747f88ffaeb5a001083e73ba844b
SHA1 f4dd5527b02a9f006ccd7c15a9c854884a531e0d
SHA256 06e0daa79fe1cc0c99707f84cad3c01ac13e2b672fadbb6e21e9956ac9387054
SHA512 d8b0da9ea189264b9ac3442086f186c6d0832d68a573be7d08baf7c68c71abeaaf02c5da85430126140b4bbbc7559719e9957230942484d633df65b6041a5476

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8b25b4d931908b4c77ce6c3d5b9a2910
SHA1 88b65fd9733484c8f8147dad9d0896918c7e37c7
SHA256 79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA512 6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

C:\Users\Admin\AppData\Local\Temp\vbc7C7A3A0D77664D1BA355C993996DE6AA.TMP

MD5 b9a83166228a3daaaf604b9302741bb9
SHA1 552619300079783c0a73482823757a8c84ebe6dd
SHA256 055d061d73a296da6d8715fcb32b05d7959ebc23f2f58bb691a7a0a2afd2a81e
SHA512 e37f3850d3edcb53b2491ef1c1a959e4240f3bd657bf8375ee824b3474f529ea5fc5c9d341a61af6abb47505a74819ca9b44e1ac0f06b3c25d189a400858cf3e

C:\Users\Admin\AppData\Local\Temp\RES7FEE.tmp

MD5 02743cef34323788a9ddcf2151449d8f
SHA1 6d53afd34060caac471074c52c92f24540498bb7
SHA256 a0a55e986e228743c0ce51092e5d0bbf0d07a66c6b1d12910a13be7a7953ce6f
SHA512 216f60d345b79a6c9851936d196207660b4bb056146954f183557bf34267c7cc09909c1ef9751ff9ff7f1722858cba39af43b81ada1d50dd446b680ca4d219a9

memory/4364-18-0x0000000074D40000-0x00000000752F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp.exe

MD5 492b939c48cf442822aafff73903a0c2
SHA1 d2ffa2a4d83979774cf657b4e725ed0c04b1962d
SHA256 508f515adee7c08bd1f870492520d66484843587677b51275c8ac456783a3847
SHA512 ea52294a566543e8b93c7a0c0f0c679b38535142b3c9d595b10f92ac12a6b98ee6bf2596e52214fc5ecc1a7d6a748c801ae0bcbd41c11f8d8e4405afb0b32801

memory/1168-22-0x0000000074D40000-0x00000000752F1000-memory.dmp

memory/2116-23-0x0000000074D40000-0x00000000752F1000-memory.dmp

memory/2116-25-0x0000000074D40000-0x00000000752F1000-memory.dmp

memory/2116-26-0x0000000074D40000-0x00000000752F1000-memory.dmp

memory/2116-27-0x0000000074D40000-0x00000000752F1000-memory.dmp