Malware Analysis Report

2024-11-16 13:11

Sample ID 241109-dhyvdswdkf
Target 94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN
SHA256 94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52b
Tags
discovery persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52b

Threat Level: Known bad

The file 94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN was found to be: Known bad.

Malicious Activity Summary

discovery persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

Deletes itself

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 03:01

Reported

2024-11-09 03:03

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1720 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1720 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2756 wrote to memory of 4680 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2756 wrote to memory of 4680 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2756 wrote to memory of 4680 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1720 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe
PID 1720 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe
PID 1720 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe

"C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_mym-pfs.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9078.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc463D82C58CBD4FD3976CF844EC8F32.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1720-0-0x0000000074A52000-0x0000000074A53000-memory.dmp

memory/1720-1-0x0000000074A50000-0x0000000075001000-memory.dmp

memory/1720-2-0x0000000074A50000-0x0000000075001000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_mym-pfs.cmdline

MD5 48e6332a5b083340f2456bb101e2cbb1
SHA1 fadac5c608d61e623e308d80d2136e1c47066426
SHA256 4d477e06a356f276311772ac10cc405d976b0606ff4a32f07cd7af84a9ba535c
SHA512 09decf5aeb33c4c34913f667c7b4885b201760b1cf2b55ee72f3663da2ca723b112fbd558a843521cbe7c832301f095ec505331801a0efc80806824befcd8533

C:\Users\Admin\AppData\Local\Temp\_mym-pfs.0.vb

MD5 598fe73a88949020ddfe50870da65e9c
SHA1 3469fa4c76c4cf7ce2eb9b941be921114d8b1eaa
SHA256 3a0e832857ab9435c86973bc82eaf737f67ba7e71ef959708cddee28cafda97b
SHA512 3bc602afcfa0b96ae6927e3f23e4cf3b54eab3ab63e9c37dce486ab47c6204f30aa184d06fad191514d879d38737c32d4bd0ae5ea204c921b3fa3e2fb524651c

memory/2756-9-0x0000000074A50000-0x0000000075001000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbc463D82C58CBD4FD3976CF844EC8F32.TMP

MD5 6de6752b6791f328c5a6d8182f86d477
SHA1 19207a69bc05f7ba23afcb00d802b630b730e68d
SHA256 5b63520b52b463298f2c806f00dad110f4804a37a73324bf29ce3bca2024929b
SHA512 7c4b4dc1208488a90a96f76fb7cd3ddcdfc1f932bd761f75e9be412debbece8c8ba34410461a5b4d1094ed4646336806aeade935ef671b082efee01effa8567d

C:\Users\Admin\AppData\Local\Temp\RES9078.tmp

MD5 9490099935311c99874b93437e019ad9
SHA1 6d0f5963cfc9fef721b9f67ab8fcf58e831c489d
SHA256 e4681c931446027ad5862ff8db3f1cafeca3d12d228a411a5add5248534d84ff
SHA512 8c8f7bdb103e78bdca8bdb24233d0d604e5f8b6eae4862fc2a5274d9033c12fbfef9f4517dab73bc0efbc2ee4d7cf1ca5150a77539e8c0e7770a07a2483665d3

memory/2756-18-0x0000000074A50000-0x0000000075001000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe

MD5 7cf8103b7f88099cf61dd0d2995ef009
SHA1 29843463e001528afa9205a99764bbb434c196e0
SHA256 75a1ed3ab304d2d7c443e2cffb13ae08d2a2c34da22c32544e8e89e64ccd9adc
SHA512 a69b3e061191838369417c36ca0df144309eda3b40f59086790fd1f1f19eda33807a82448dd6faf3eb12bee814b9eefb57c01aae7b0adf96b2345018b3d6b376

memory/1720-22-0x0000000074A50000-0x0000000075001000-memory.dmp

memory/3180-23-0x0000000074A50000-0x0000000075001000-memory.dmp

memory/3180-24-0x0000000074A50000-0x0000000075001000-memory.dmp

memory/3180-26-0x0000000074A50000-0x0000000075001000-memory.dmp

memory/3180-27-0x0000000074A50000-0x0000000075001000-memory.dmp

memory/3180-28-0x0000000074A50000-0x0000000075001000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:01

Reported

2024-11-09 03:03

Platform

win7-20241023-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1776 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1776 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1776 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3000 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3000 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3000 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1776 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe
PID 1776 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe
PID 1776 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe
PID 1776 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe

"C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pkjl0xrt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2BC.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/1776-0-0x0000000074531000-0x0000000074532000-memory.dmp

memory/1776-1-0x0000000074530000-0x0000000074ADB000-memory.dmp

memory/1776-2-0x0000000074530000-0x0000000074ADB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pkjl0xrt.cmdline

MD5 75f4c0fc6430c37d19957d13b3c89d4e
SHA1 d24bffc7285372a3fd48ac24957e404b6ffcf914
SHA256 1eba452386b89b42034c262674975fc6c92b71197d99f43b0d06faed169d241e
SHA512 3db6e8d6a05e141565bf253501d3b9e530d69dda00fff85559542539d9e341894c34e54c35afce5bc3502f9526c994cb4ff3b70e6f43c434a5a8dcda8325ef1e

memory/3000-8-0x0000000074530000-0x0000000074ADB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pkjl0xrt.0.vb

MD5 aeb7f6035d90138e0cc0870c7b70066f
SHA1 a7147994253acd0c63c4d962c4dac2c1facd848f
SHA256 7fd132eac2d6ef7f5ac0959bbab7d31b2a9db69d35ce16772f54894267b58b97
SHA512 2e782c2a6f919fe4df321fab9722b2a51f0c9771d0defd031cdc6781cbd64f741278f0ad4ebd66cd6316e2645dede635d3f4e8ad535d5d2d8695ea86c228e70b

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbcB2BC.tmp

MD5 6b260cd68b3e8b3782b3ca94c1c88a87
SHA1 c7ea88e7f81f3f2d3605673aff615fcbc9c8fb36
SHA256 32bf351c97b2243673700811a00b321e0a39358223ff0774770e50d051cef263
SHA512 5997d30dc007b580418f51edc142af8f62680ddd463aa12d7c76bb4b59035f3ded9c9e0708cd4debbf4f13c7061e34fc603f64a9b959729066abb5693ddab5e5

C:\Users\Admin\AppData\Local\Temp\RESB2BD.tmp

MD5 c94ab7b6d1dda59550c3a8a1bf5b8310
SHA1 059e7a0fcd8a58446e7ce9e39190bd7dbb636a61
SHA256 2ca1ba42c8f7998313fd3293ca707a8bb8f962b48a6cef518cf4af1479f3f227
SHA512 a5d1e510de388186d720c5075ea5ea80416629069b88bbff01498d47050b474131c5293724299cf96806eb07a0df6752c5b753253d4844955c3cbc1fbf8c8bb4

memory/3000-18-0x0000000074530000-0x0000000074ADB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB1A3.tmp.exe

MD5 512169605dbc0d972b38da2914b08d0c
SHA1 84d835bbec5bd96d908e5c24e37d27dd0bb79fdf
SHA256 3671fe8318e01851a739c8102193ad5f8092ab9bb3f7f67e89751cd2400f00f0
SHA512 dcf95a73fc57e8eaa8a54e71a500b5627af802bf406d8dbe9133fb22cb09d68347342c0dce907a568948b35dcb64099b60f62c0c133c442cbdbe2a18873557b6

memory/1776-24-0x0000000074530000-0x0000000074ADB000-memory.dmp