Malware Analysis Report

2024-11-16 13:12

Sample ID 241103-ynapzasgnc
Target d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N
SHA256 d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0
Tags
metamorpherrat discovery rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0

Threat Level: Known bad

The file d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Checks computer location settings

Uses the VBS compiler for execution

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 19:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 19:55

Reported

2024-11-03 19:57

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBB70.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpBB70.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpBB70.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1860 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1860 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1932 wrote to memory of 2820 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1932 wrote to memory of 2820 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1932 wrote to memory of 2820 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1860 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe C:\Users\Admin\AppData\Local\Temp\tmpBB70.tmp.exe
PID 1860 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe C:\Users\Admin\AppData\Local\Temp\tmpBB70.tmp.exe
PID 1860 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe C:\Users\Admin\AppData\Local\Temp\tmpBB70.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe

"C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cjl53v58.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34A3DBDE2F954F3884EEBA712E71CAD.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpBB70.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBB70.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 150.144.22.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp
US 8.8.8.8:53 udp

Files

memory/1860-0-0x0000000074E62000-0x0000000074E63000-memory.dmp

memory/1860-1-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/1860-2-0x0000000074E60000-0x0000000075411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cjl53v58.cmdline

MD5 27edf1e31ce1443a3fc0c88dfab7ce12
SHA1 ec21817ecca4b7227f557d426d6f1a2459c5161c
SHA256 667779084916ee21c046670f544dd59de4fefa6ebf9ed8813321365bcf2e98ab
SHA512 24457548ce1f3b522f80f8b622f3184cbc5b7f1123732b31911458a35f4a6dbe2e8bd71c0b0ba2ac78586c341c4de1b7032372788211565a53042eef67876aa7

C:\Users\Admin\AppData\Local\Temp\cjl53v58.0.vb

MD5 46172151fc0cc7e390a5b63d011c75c9
SHA1 73944350e6bbf8486f7f3e4a7f61b7af8b457a94
SHA256 43f420644e64127644c91ccfb542404e8dba39b0e0f35a563a2adad2dc12a8b6
SHA512 c1a10f8ecb2aab7543379be0c0d95b940dfac2eabe7ea2f65c0d9609d7585a57d673b4e7a061fec1e75c0f9fb66ee6976987d33c2810663e5913007a30ae39cd

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

memory/1932-13-0x0000000074E60000-0x0000000075411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbc34A3DBDE2F954F3884EEBA712E71CAD.TMP

MD5 881a01e1e57e233b14bb290ba0f55760
SHA1 616c29f9712661fab95d871f1d4a387cdfef7805
SHA256 55536805cefd8f4b2065762a5b44167840b282b903b984a28f7e00b1d87ab1a4
SHA512 f75af192fad8960455d24d24a47c6483924f90f758b4f9dc74246e2bb2ec11e14e3664f5b4854fb8102fb9a9a4c8dc508bbc002033cf1bf4fb70cf69fcce697c

C:\Users\Admin\AppData\Local\Temp\RESBCF7.tmp

MD5 598938f3a33353d19e48d8b4294f1212
SHA1 71b3c8528bad19114af1770182f25d81638bfad1
SHA256 ccfd27f052b02bb00efc5c960980671c72fef5c0d49b9f5d1003b642e81c297d
SHA512 af5e4f4a3c696a5aa815c2a64626bae639b6786ed3c642f6bcc3c6f89b602f6aff86a816d14f6258edbd64fcb9910fd381f3f726daa9dbc28ce9106dcfc8e1a8

memory/1932-18-0x0000000074E60000-0x0000000075411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBB70.tmp.exe

MD5 be3dc4bea0173f8b1e764d3848ce64e0
SHA1 1aa62c30dabdc03b28a2674ad284d6b759c92553
SHA256 b9bd7966d04a9d63c7a62a4ba92728d68de7d634349adf27c4c52513337e806c
SHA512 1179cd590d059b9eda1e66d9d212f4d45e85eeb7be924b89f84637af6692331c30cc3a6f54c3fdbcbd06287c80747e2a73064dcb499fb8598b57ce8db4ac89e9

memory/1860-23-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/5032-22-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/5032-25-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/5032-24-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/5032-26-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/5032-27-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/5032-28-0x0000000074E60000-0x0000000075411000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 19:55

Reported

2024-11-03 19:58

Platform

win7-20240903-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2856 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2856 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2856 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2672 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2672 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2672 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2672 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2856 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp.exe
PID 2856 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp.exe
PID 2856 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp.exe
PID 2856 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe

"C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lgrr3xm0.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES510E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc510D.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d06b61e67bd51d8aaefe7f6f70d6f3b0bbf28ac751c45e2be86374e4ece1fdd0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/2856-0-0x00000000747E1000-0x00000000747E2000-memory.dmp

memory/2856-1-0x00000000747E0000-0x0000000074D8B000-memory.dmp

memory/2856-5-0x00000000747E0000-0x0000000074D8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lgrr3xm0.cmdline

MD5 591105bbd42ff5ff59961340c3f4e372
SHA1 f101b0ac017e8730e398bc39b2e6b49a8b08cfb5
SHA256 efeaf23df08588f7a16d9b94031f1d487842ebd80772d0b07f097e9b6639397b
SHA512 af854cc269b591e1ad0d881fc4450fa89e8c2af976a58e15349a4b6b95b395fa113eae7d0db0f5109b2d4de69825efd19758ed9f02a6a16ccf6e448b6f5a519e

memory/2672-8-0x00000000747E0000-0x0000000074D8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lgrr3xm0.0.vb

MD5 62aa908a6c78c20cea4fce1addd24f98
SHA1 43faad2007912153f1bde72d7efad665727404fc
SHA256 e0c769a2202741f69b68b82cd60abcf2098e42183fd517a834f9c102dd8e430e
SHA512 caac3078b2ad64a9efcede9985c8312debe72e344f46e6ac155a06b15e810e9a4109c665d12c4a6d5cdc1820c64d4071218a0c38f88e4da78abb90785264f604

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

C:\Users\Admin\AppData\Local\Temp\vbc510D.tmp

MD5 79a5c199a3e8e06d58a0d85f7f742373
SHA1 32580c3df4c02098749794260f395b53dad15460
SHA256 b506630fd777212428dbdd5294683f30626eeeb4b21c2d02033d444301985bce
SHA512 a45fd0887d17e6c64e191e9db023fc09936f283c8a114ae2413add16ab4dbefb9b46c5f50f70ace2444adfc213f71d0e034d3977d11f25aa239fe797d2630fc9

C:\Users\Admin\AppData\Local\Temp\RES510E.tmp

MD5 94044b0f33c7670e805c7347e893fc6e
SHA1 b1634ef609f2071740c73ff2d2edbe2a96262059
SHA256 916ad5185300955d15bf8b8bc9c69f4e3aeddb0dfbac28d6c22fcd57f6a37936
SHA512 4fbdb5a51bc0ea181e41eb23206fff0908c92b489a46157da39117156c16a2165b140f134113fe67f10e976daaca464d77259e8417ac29b71f22897fa698d440

memory/2672-18-0x00000000747E0000-0x0000000074D8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp.exe

MD5 1f1a2612a30efa0954959920463f2926
SHA1 b0ec7ed0956e431fb76c35a8fcf4b82ee057b5a5
SHA256 de714a93e6dd3913d05551b9bee429cd28be00cccd5818d16e5f17ce19dd6bf7
SHA512 f628b7aaffa0b588753736a77212f5917c95b5d77cda485a050ccf9f5ae1ffdd47c75165e0d56d6b8411691e2681c5e9b490c2fea0ca378b718c427a9f100037

memory/2856-24-0x00000000747E0000-0x0000000074D8B000-memory.dmp