Malware Analysis Report

2024-11-16 13:12

Sample ID 241106-dd53xatclg
Target bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f
SHA256 bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f

Threat Level: Known bad

The file bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Checks computer location settings

Uses the VBS compiler for execution

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 02:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 02:54

Reported

2024-11-06 02:57

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp85CA.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp85CA.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp85CA.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp85CA.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4256 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4256 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4256 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4964 wrote to memory of 3888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4964 wrote to memory of 3888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4964 wrote to memory of 3888 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4256 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe C:\Users\Admin\AppData\Local\Temp\tmp85CA.tmp.exe
PID 4256 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe C:\Users\Admin\AppData\Local\Temp\tmp85CA.tmp.exe
PID 4256 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe C:\Users\Admin\AppData\Local\Temp\tmp85CA.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe

"C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\amadn7j6.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7C7351565654EC0B1AEDA90A05883CA.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp85CA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp85CA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/4256-0-0x0000000075182000-0x0000000075183000-memory.dmp

memory/4256-1-0x0000000075180000-0x0000000075731000-memory.dmp

memory/4256-2-0x0000000075180000-0x0000000075731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\amadn7j6.cmdline

MD5 70383d9469c65033e477b34e755cb668
SHA1 3d548b543b0e823e3238d122153a596920e3d48e
SHA256 1b4e3a15739e9ae4a2434ba7754e856c6864a5f0b461cb77d6eb45c8b0cc2de8
SHA512 06def29f1dc04eb6809b9322e72dcb3a6ba2aaea0845a82090ee4c21826ac5cca9b422ab64869d4481ef7ddd50987cb22928f93b5f7972b34d9f1169f514b47c

memory/4964-8-0x0000000075180000-0x0000000075731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\amadn7j6.0.vb

MD5 1500ba4a09a0264141dc2dcd64d4688a
SHA1 adc9a2e2529992da91678abd441cfae9d3756917
SHA256 846417c2ea926ba5997bb223126dee70077241c64fc6520ba32e0bba75a2daf8
SHA512 1b77d0feed1501f86fe5eb83edfa9068f0588dde7e73f6affe11df819a078ba760bb2655f08321e4fe762142381baceee7d39fd2c7c764e6c42a5609b8181c49

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbcD7C7351565654EC0B1AEDA90A05883CA.TMP

MD5 82e4c5eb059f5aad297b9ed09e614547
SHA1 03363510f7776d00aec5aed799c2232c5000d2fc
SHA256 37afb7101ed290e27820d6eaa70b101fd0de2decac6e9823133f40f90209a050
SHA512 3359126a43238a0a1cdba662838a628d6d01eda04a7da625b3ab06375f25166c11186efaa8ff57d98ed26b289d0387036cd387f1a61530e5d51245cacc769a15

C:\Users\Admin\AppData\Local\Temp\RES86C4.tmp

MD5 cd74f3b79e09f8ad3494b140bd3aee0d
SHA1 9458d0ca71ba08ea9800f49089bd1df3fbc00fe3
SHA256 8eeb451a486985a336f432adb4da44e8a9bfebf23a0dcef861149fa0cd326dca
SHA512 f88100d74974dd6edc0c2a28c89bfadcae7785e4d7617511fde0d0d57476a611910b4709ad58dec2f2da68a184be62efbcf7a31bb5b4e1f984e05456b07558fc

memory/4964-18-0x0000000075180000-0x0000000075731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp85CA.tmp.exe

MD5 9776c9c56bcaf595bb4454d2532aaf1f
SHA1 f0ae467b48042e492303de4b412f7a795a3cc5fb
SHA256 b701dafd15e653959aa3ef153d2ad7d80f86792c39b6eeb515328408e62cd770
SHA512 4aa14cab7f55a57ac44f15d53d2ee75c96d70e0176e8fa0070ab804fb3f7f3dc7ddd709ff3d464962ce836ecda14646743e8ee56a6f1bb38193258fb6564717f

memory/1676-23-0x0000000075180000-0x0000000075731000-memory.dmp

memory/1676-24-0x0000000075180000-0x0000000075731000-memory.dmp

memory/4256-22-0x0000000075180000-0x0000000075731000-memory.dmp

memory/1676-26-0x0000000075180000-0x0000000075731000-memory.dmp

memory/1676-27-0x0000000075180000-0x0000000075731000-memory.dmp

memory/1676-28-0x0000000075180000-0x0000000075731000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 02:54

Reported

2024-11-06 02:57

Platform

win7-20240729-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2660 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2660 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2660 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2800 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2800 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2800 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2800 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2660 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp.exe
PID 2660 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp.exe
PID 2660 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp.exe
PID 2660 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe

"C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\esajon-c.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F1C.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2660-0-0x0000000074351000-0x0000000074352000-memory.dmp

memory/2660-1-0x0000000074350000-0x00000000748FB000-memory.dmp

memory/2660-2-0x0000000074350000-0x00000000748FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\esajon-c.cmdline

MD5 2830091f2b718ccb2b8b494382f342b0
SHA1 1fb967ba73bc1515db7e830c9dec50c844ac9ca3
SHA256 2f97e34459d216de5f1572e5a19341bb07b135744e78e3762b557a098c615a59
SHA512 8189bff7ba43e88abdfdb9d29c1a35ca9ece4ec360f09c9729b6cf4044f0a22c4995e3f981f5c85c0e3d56fca0b0dfa153074bdfd7480ab695b9053bd29d4fa2

memory/2800-8-0x0000000074350000-0x00000000748FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\esajon-c.0.vb

MD5 b0515dfbaa3b1569c1fa392e25be2961
SHA1 d1aec4862296cb956ccbad7cb2c1dd631dc1bb61
SHA256 88244b221e485f532f95bc3bd58dae196dc5c9f7bc42d17af62348dc23bea14d
SHA512 f0d9c2d821b533ea080016187502cd4088171469702a729a3337fe8e95013f50718bd6674d79942c52a82edcb2e9a12311072d118ec902c3502c1c6959afe314

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc2F1C.tmp

MD5 2b608531fcea6f96edb158e4ad073542
SHA1 2e44dafbe131956260b6480a18dc8997eec10ada
SHA256 eec1b22fb1c1d560fd5147940b6b58c991b53ae83e4b77303ba42b31ba5988f3
SHA512 038a4246c5ecfe71ce07148b9bf511cd05ccee1b5450bdd5b5381d00dff0672a2a69879ef977e11ab4f2239f9d958032eda4e19076e03947bbd0d1c728557cb4

C:\Users\Admin\AppData\Local\Temp\RES2F1D.tmp

MD5 a73adf33c48d9a3357dd789021444d3e
SHA1 ee4aae3278e659ee78c5309cb3471363a2f582ce
SHA256 c490056a5e6ecf955921ed22156673e0373957808cb1dc0951a3ad5b76ff0753
SHA512 624f5d1b240fbaff458bdecd2e469acc79044205013fc269e656a9ccdc4a5ab04785adc2a8f7e241c060df236b2290cfedcfd13f0099798040d0567d1523b8e8

memory/2800-18-0x0000000074350000-0x00000000748FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp.exe

MD5 f72279fa6b5c90046f5dcbf81fa701d9
SHA1 df76f84f3b2dd1ff472fa838fa56fc963fb1fc6b
SHA256 f4cca39e76bd011c91c9a58b7383728565ba21e53c37d8effb8e4743d251a9ed
SHA512 e9d10e3ae53967dd27067ca9ccc0f6da9eae5280136c373680659c4059c6b4de2482a2bbc1d029d681f9170022963ec87afd1e4aba51bbeba8c16d01acd36e6f

memory/2660-24-0x0000000074350000-0x00000000748FB000-memory.dmp