Malware Analysis Report

2024-11-16 13:11

Sample ID 241110-hkm8ws1hpl
Target b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN
SHA256 b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bb
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bb

Threat Level: Known bad

The file b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 06:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 06:47

Reported

2024-11-10 06:49

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2688 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2688 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4872 wrote to memory of 3276 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4872 wrote to memory of 3276 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4872 wrote to memory of 3276 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2688 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe
PID 2688 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe
PID 2688 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe

"C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kviqmqcu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8770.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94C722595F844E9FB14C5AFA93D9FDB7.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2688-0-0x0000000074BB2000-0x0000000074BB3000-memory.dmp

memory/2688-1-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/2688-2-0x0000000074BB0000-0x0000000075161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kviqmqcu.cmdline

MD5 87fedf2af133a950e3695fb8c534c5d8
SHA1 e5cd25e4c8b81495baecf098ff67a268e11c9936
SHA256 6b2365b93cd2be0ef058ed9d1fc8d878c61e1df35f91c4fd0b2d16a02505553c
SHA512 d8ab77f88fb5401b87a503ba55d97ec16a2c401ec084f344fbc8d2f9e877a15a2527800e8a582588ec81a266e3154d924e8fa9dbaaf2e2705fac9ed85f866826

memory/4872-8-0x0000000074BB0000-0x0000000075161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kviqmqcu.0.vb

MD5 8eb61d6ff9adea6a5972b8ed9b9bc078
SHA1 24cac37e4dcd5d15737141622d7ee3f771559eda
SHA256 688000902bc4dfe1ea4b4d53db0b47fdc55a4c8535ea21ab3698d469c56d3310
SHA512 1463650a35965de5d3ce0b9a34a988adef951c862d2e25e5e6d00156e3c2d27c93c747fef59353b449fcc7dad890c085a0429174471db4a6d8d19532f5e77fc6

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc94C722595F844E9FB14C5AFA93D9FDB7.TMP

MD5 511761bc67de9d7d3c0c13fdb3b1b7f8
SHA1 0957d1eb99b5bc3aa0fad888400bb1ac6a91499f
SHA256 f34d8d467ee3b03fe0430ee6c7d06e5db44a7833590dbef360feffd7033f0e6d
SHA512 7d04d1f35678140ebe25d637a43c247f9f221ebd9d97de0c59e8a639502a3de5ad96af5fd12ce1fd32c82ed436f7ae1b545fc73834a4073b802900c3f798368c

C:\Users\Admin\AppData\Local\Temp\RES8770.tmp

MD5 48678837cf13b1e4882f21d4c04a37d9
SHA1 c78f8c6f83d2b72cc0ad10316b8c76df954facad
SHA256 1174681a1397fa1031910c98876a93a1c02f47718a90fc3ee91e5e5607c6f6b0
SHA512 c48c932d63ed8b5034e47d658f9ed152fe45f5394e3b77164d469631a4e2f076bb6f192346e6193da0dbfdfceee2b9d9404f67bef7ad13c179fb38d72534eb7b

memory/4872-18-0x0000000074BB0000-0x0000000075161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe

MD5 3a35fccc072f32e5c7e72418f1cd80d8
SHA1 966e5dd518ac7d94790a0939cbe18454cec7fe71
SHA256 8d18d8264e4fe43c5f03093086fec5e129f3cabe50d8f36e84e995428c5b8946
SHA512 23f54e5e7974288a9d7347b83e089a9156acab3bfe06b5abdbe61a7dc8b516975c86bafc327956e843b1adc918a4fb661bde1444caa63f8feb7ecc55e15f015c

memory/2688-22-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/4976-23-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/4976-24-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/4976-26-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/4976-27-0x0000000074BB0000-0x0000000075161000-memory.dmp

memory/4976-28-0x0000000074BB0000-0x0000000075161000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 06:47

Reported

2024-11-10 06:49

Platform

win7-20240903-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2076 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2076 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2076 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1848 wrote to memory of 2300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1848 wrote to memory of 2300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1848 wrote to memory of 2300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1848 wrote to memory of 2300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2076 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe
PID 2076 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe
PID 2076 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe
PID 2076 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe

"C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\82uh9pwf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8190.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc818F.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b547ea610b5c086f0eb820c31a3bea4b31735ab26dcb64496379c19a7c3823bbN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2076-0-0x0000000074801000-0x0000000074802000-memory.dmp

memory/2076-1-0x0000000074800000-0x0000000074DAB000-memory.dmp

memory/2076-2-0x0000000074800000-0x0000000074DAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\82uh9pwf.cmdline

MD5 0bcdb658f3044ba96cf2f557b06a1937
SHA1 74cbc86e9a5cb95ea8135df7c7355b459c0e4911
SHA256 b6b4a5dfb1ae29a91b87e850ade5ff8b3b59c7d6af49229702939191c6a5d3e6
SHA512 946d2157bedd16d2aa9a64a3cbe032d65ee18bd51c4bf4e0191628371d3748fce07143cb3c64483dd8dfc5635ffbbd8cd13c94d1e82f74ba85dd384d04be2f0e

C:\Users\Admin\AppData\Local\Temp\82uh9pwf.0.vb

MD5 4b38a0c659551afff7b2164769966923
SHA1 8a14b92399c91588d7880c03e67ee175bb278769
SHA256 718188b16dbf5d48fea4be0bfd5271dbc846787d03b626b39bb7f2b4f00f15dd
SHA512 fab9e7e171bd831a47a9e90290eea0345ddfc48ade36b00c4fb49d7ea81fc1e3a404bafd4ec8f298ec9d6d15c1a9a3e226aa4d959408aedefb4eba88dc4ac35b

memory/1848-9-0x0000000074800000-0x0000000074DAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc818F.tmp

MD5 75a52caf48f5e41ee45a65a2ac6000e3
SHA1 5d953fff2ddec9867b997f9248d19a9ddcf4bf51
SHA256 3e97d06ae6777c254cb1654a6b79091061bef780b59938f7d1d7cea387cf7389
SHA512 2e9bb7718878f30d2a43ae6a36d5ac3463e8e5a9aee8d7aa553dd9099d4e481465162ff00a62ae35ef4ef102f9329ca546655fb25244a4fa62b778074cbd9b7c

C:\Users\Admin\AppData\Local\Temp\RES8190.tmp

MD5 155468a2f55f31cc3cf6ae57d1e0496f
SHA1 c5a8519f20157a2eab3203c2a4b64fba7819a928
SHA256 5aae1c36db88e991574788e206d9b1e47a6fb301b83e26666c48b750aae4bb79
SHA512 6d57d3490b072039c21f5e22ff1e0345b066959a037b388f9a50c2113e8cc981d44b9e535603bb811ce1156cca3ff337f847ee09256badda5e9a97532fc26c8c

memory/1848-18-0x0000000074800000-0x0000000074DAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp80D3.tmp.exe

MD5 7f0951e823b10b29b3b469f1564bf833
SHA1 73695285b5d810a5ca7b09364333e4b4e5bc1100
SHA256 6550b2cf47e9f76025af83c65bc19e37230d3698c80f4366de59841a49c4a3ff
SHA512 e921f0a2871f8913dea78d6b5d91a00cf8fa37dc312d34d18dab147618dc134aad564d9863306a4d2853b04e1ab5dcdbbf1b19629048a34ebee7b07760c7f1e2

memory/2076-24-0x0000000074800000-0x0000000074DAB000-memory.dmp