Malware Analysis Report

2024-11-16 13:11

Sample ID 241109-gkkmbsygpa
Target cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N
SHA256 cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94
Tags
metamorpherrat discovery rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94

Threat Level: Known bad

The file cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Checks computer location settings

Deletes itself

Loads dropped DLL

Executes dropped EXE

Uses the VBS compiler for execution

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 05:51

Reported

2024-11-09 05:53

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp884A.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp884A.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp884A.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp884A.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3892 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3892 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3892 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1552 wrote to memory of 4376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1552 wrote to memory of 4376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1552 wrote to memory of 4376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3892 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe C:\Users\Admin\AppData\Local\Temp\tmp884A.tmp.exe
PID 3892 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe C:\Users\Admin\AppData\Local\Temp\tmp884A.tmp.exe
PID 3892 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe C:\Users\Admin\AppData\Local\Temp\tmp884A.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe

"C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yuignblg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8993.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41EC762CFCC142489B8E30E6134D96.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp884A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp884A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/3892-0-0x0000000074A62000-0x0000000074A63000-memory.dmp

memory/3892-1-0x0000000074A60000-0x0000000075011000-memory.dmp

memory/3892-2-0x0000000074A60000-0x0000000075011000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yuignblg.cmdline

MD5 184986374e84499bcf6f693870a76b3a
SHA1 ce4a6fddfac7962cc8a146c8eeaf0636141ddc23
SHA256 18404405d40778790cc2414c3a1eeeebbcb066c1d245126f9d1d60d6675734dc
SHA512 39cc0c450607cba9a3b39e4776dd0aad3cda08ec46eecc57431794ad8e4c42a89595acee681d87e1ad7a88d345c328e9fe5ec12c351df52eda41a3ff3692bf50

C:\Users\Admin\AppData\Local\Temp\yuignblg.0.vb

MD5 6033a45f60a56133f940c48b74c15973
SHA1 e073f56ede861d9ae9df3d533c615c96c8b9f274
SHA256 8025b6468bd6cc9484aa23a963b333ef9bcb3864772274c667589ed19d1ba8a6
SHA512 9e3b5b7d220f096d9ef64db7cd708373d1a6199725bfa2d5158a6c30341eabb5e363aac225a7c5f6cfd7527f186461782a633bca728c86f954fdb61ad6324f08

memory/1552-9-0x0000000074A60000-0x0000000075011000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

C:\Users\Admin\AppData\Local\Temp\vbc41EC762CFCC142489B8E30E6134D96.TMP

MD5 22d9375175e87a3c8110e176b2580cef
SHA1 b86771ec7291b2235438f29a800b9d781e31e3ad
SHA256 afeba67c3efb909108df641e27a6f96f626d25c08e617147735444a0a4303a0d
SHA512 3e3d4a2d8efe2c437fc9c771f0dd5a4611edde9e99ae7c36af59ad072361c7399c67e0147e2166a1fd331480f78ce740a2eb340c62bf5330d0f880fc1353d612

C:\Users\Admin\AppData\Local\Temp\RES8993.tmp

MD5 d1c40fd0d86043a4d1cb39e0e9c6587a
SHA1 aace5b93bfe7d1d1d0be88020b7edb708e47ad22
SHA256 b5430964be77c20f0d615c14c41f4d3408cdf79a165cd2b6abb58336e2b06302
SHA512 ac06bd211627c16141a2370b56609eff40c2c9f0e75fb7cd94a3b88475fd20805d936f96358a032a43168e770c63c967d4b82de83383747353090930dda3f0a0

memory/1552-18-0x0000000074A60000-0x0000000075011000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp884A.tmp.exe

MD5 6b6f41912b0b687b3ce6cd2747993f83
SHA1 87033edbad1dfd1902235b586467131b9e2c6b57
SHA256 46ff22bb3681f0a5d917f4781e7b457c81a5251bf68016997366bf563a0640da
SHA512 290e174914671674ef734ddcd54731ab1e2b9ce5a6fd121cf3cbdf19aec32668175e4873515a1442c81fc7ee575a3778399c57fd14c90f2877b9695387c2fee3

memory/3892-22-0x0000000074A60000-0x0000000075011000-memory.dmp

memory/1496-24-0x0000000074A60000-0x0000000075011000-memory.dmp

memory/1496-23-0x0000000074A60000-0x0000000075011000-memory.dmp

memory/1496-25-0x0000000074A60000-0x0000000075011000-memory.dmp

memory/1496-26-0x0000000074A60000-0x0000000075011000-memory.dmp

memory/1496-27-0x0000000074A60000-0x0000000075011000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:51

Reported

2024-11-09 05:53

Platform

win7-20240903-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2788 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2788 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2788 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2680 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2680 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2680 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2680 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2788 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp.exe
PID 2788 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp.exe
PID 2788 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp.exe
PID 2788 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe

"C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tdky0clx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB0B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB0A.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cd8025c4845fe6d05e681a6bb668efe97ddd1899d23d5ad378080c6e2b202a94N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2788-0-0x00000000745A1000-0x00000000745A2000-memory.dmp

memory/2788-1-0x00000000745A0000-0x0000000074B4B000-memory.dmp

memory/2788-2-0x00000000745A0000-0x0000000074B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tdky0clx.cmdline

MD5 fed1d2d74fcf9f2ebb06a01d71c08d41
SHA1 a62734bbcf101d6ef1cf5f89e2e22d95e2090445
SHA256 665dd3b88cd14c170e8f3c383819ab14c47191e7084f784be31a27fce44795de
SHA512 44736ec4ef8452c59a8606188e839c9e8df1c4dd1927a7cdc1e43dcdf32270dbe8afbebc7cb71165e4edf31db532a1f29a720c0a35e73f485b693c78410122bf

memory/2680-8-0x00000000745A0000-0x0000000074B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tdky0clx.0.vb

MD5 3f808e1a3751cabdd98a4d92d479a91a
SHA1 0f30146b0aa0d51d28a1ad945bab45934c4b0e9c
SHA256 15b34b50188c2e44f78be4fb680b3420b15a59fba020a0c57d7c2c805fa6e2fc
SHA512 b3e8d0a158fbc3123b35c0c3cff6b294469a07dc63f898bb4357f905fedc6e72e14568e461ed5e6de25e06921256160bb0d5cccdc13bec5243d8e9b9f61b390f

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

C:\Users\Admin\AppData\Local\Temp\RESEB0B.tmp

MD5 148cf3f369f4f0e09c157c273418f1f0
SHA1 bc6d1b46155e5d48315ee15da1a3d52778af5d1f
SHA256 87173b60a57328539f3150e5f88f8e9fe5b6a3dab566cdb6aa57d5257cbbcbab
SHA512 5379d2a4dc189c929b7023fd2894f711c1c1fb3853baad93b805d2de05881b85f9eab4289d4b105d3346df9fac3aa463402d2fe78366b62c62ac2ca12a3a1829

C:\Users\Admin\AppData\Local\Temp\vbcEB0A.tmp

MD5 667ac222c090d2fd2af9265b5f678c5b
SHA1 f07dfb75a53812e383f18407d70a1eaa0d2d3bc0
SHA256 0a3e6f5dc62da28f077e4107cbaa3d0ef407e81bc86338341a5847967db6c9bb
SHA512 b7b89c0a20db917ef16f243b0a15b2e941edd071ec47afb265e1bd4d856f9523a8db392e43caea22c8681f5b8c7693b391cc2af068fc7dd30e5e99c2beff77d7

memory/2680-18-0x00000000745A0000-0x0000000074B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE9C3.tmp.exe

MD5 016ebf1a17692cf760daed1abcf88e6a
SHA1 3a4521b85ab5688b554cd5f231a5a6d18d350cef
SHA256 6356028f295bf642290634881aea11792a6f12947e43fdfab8db24b8462decb0
SHA512 66b8ad0929b1d9f799ddf3385ef684f36845d621bab62413bf73dcf888d55a1f440795bde2323dbcaba19120445606488f472f442f238dd9ec5ca79c4d96d3b2

memory/2788-24-0x00000000745A0000-0x0000000074B4B000-memory.dmp