Malware Analysis Report

2024-11-16 13:11

Sample ID 240408-3qavzaaf7x
Target 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2
SHA256 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2

Threat Level: Known bad

The file 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Checks computer location settings

Deletes itself

Uses the VBS compiler for execution

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 23:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 23:42

Reported

2024-04-08 23:45

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 908 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 908 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 908 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4720 wrote to memory of 368 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4720 wrote to memory of 368 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4720 wrote to memory of 368 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 908 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe
PID 908 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe
PID 908 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe

"C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ycvwefbh.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5890.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A670FCA7A334F54A44161660A0D9CB.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 77.239.69.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 tcp

Files

memory/908-0-0x0000000074780000-0x0000000074D31000-memory.dmp

memory/908-1-0x0000000074780000-0x0000000074D31000-memory.dmp

memory/908-2-0x00000000012E0000-0x00000000012F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ycvwefbh.cmdline

MD5 6a6d99b3ee0c98405c6665c26604c11b
SHA1 24a0b03f16005e8136905a4b5870250c620bd73f
SHA256 584e9d2e609ed7ee7d225527cef8d5e60a8f3a36641a7bfa783927f2ae04ff38
SHA512 d94227495c458a988b42c83779b45a34160dc1c256eb8a502d0ce87e5f8531cd170ba87626143bad03fa154fa3ca8aa6bc7f5c285218ed9ea7dd71705396102c

memory/4720-8-0x0000000002690000-0x00000000026A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ycvwefbh.0.vb

MD5 0a1d879802aedef8e7c1f407492a41b9
SHA1 4aaf77c78206d20c670a41ad76dc94ee177b137f
SHA256 a400bf1e2680d042af02ddb0531d0314051ac2f5747e9e5806e96ffd24d138fc
SHA512 2c89eb988ec5bfdbd035911843448be3843199a20b0ac0851db4303f299ecc7e8b9302e1e5061de01b96a1d67470fb002b876b58695ebc8ea4beb58fe7c0a271

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc8A670FCA7A334F54A44161660A0D9CB.TMP

MD5 f93b92d0e7a1b0acb8aedcba4b899e76
SHA1 49f2807c9ef3c0d203f1ba11bc1e192e9ddf34d8
SHA256 27829cbe96458d5a920dce255c20d5478d7b4222d8e19c0e8e31e52e444b80ce
SHA512 b7bd4b3ff803787e077b8f4422263898c15e0d34cb03c70415b159f537dfa0b33d46a45d597ee1511bf2619d84ee1cc03dbe092f2fde781367340ff4e5fb2555

C:\Users\Admin\AppData\Local\Temp\RES5890.tmp

MD5 465892bdcbd56fbd2a795b3fbaccfb52
SHA1 2743d27d5e65319619c621d76ca02627855ce336
SHA256 09e75cef72375b514922ba7c3d15866ded61d2bfb763d4bfcd759e07cd74e64b
SHA512 a61aedae46388e660582bc39a01c64e7290ab1a474382bde2b71d2dba9f1713dff85e8659cf033c5dfab0fa37e5c8da08488da452248d025cd3a700ef81a4ac6

C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe

MD5 5340a4bb9b2ad810afb6a1c54ddcd440
SHA1 8050aa97a00b3a60467eee152ad093e6df55c058
SHA256 1d176fef64190048753ffd5de475b52ee97a2579ee8c6792ff407d933223d523
SHA512 8d64a958836d68e52392cd770e375baef77ff16fe0dfad37cf087f3d0dfe164ab5e4e749ed50c0a29cd6bad329ac89634d8c9e71eb687e0fe3423191ed5cb2d3

memory/908-21-0x0000000074780000-0x0000000074D31000-memory.dmp

memory/3032-22-0x0000000074780000-0x0000000074D31000-memory.dmp

memory/3032-23-0x0000000000CF0000-0x0000000000D00000-memory.dmp

memory/3032-24-0x0000000074780000-0x0000000074D31000-memory.dmp

memory/3032-26-0x0000000000CF0000-0x0000000000D00000-memory.dmp

memory/3032-27-0x0000000000CF0000-0x0000000000D00000-memory.dmp

memory/3032-28-0x0000000074780000-0x0000000074D31000-memory.dmp

memory/3032-29-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 23:42

Reported

2024-04-08 23:45

Platform

win7-20240215-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2128 wrote to memory of 2088 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2128 wrote to memory of 2088 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2128 wrote to memory of 2088 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2128 wrote to memory of 2088 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3000 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe
PID 3000 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe
PID 3000 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe
PID 3000 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe

"C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uozzhbfw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1121.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1120.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 tcp

Files

memory/3000-0-0x00000000742A0000-0x000000007484B000-memory.dmp

memory/3000-1-0x00000000742A0000-0x000000007484B000-memory.dmp

memory/3000-2-0x0000000000510000-0x0000000000550000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uozzhbfw.cmdline

MD5 15b8e71703e95626082487d988274026
SHA1 c9cff33e89d631dd757a3c6c4f58642f09d0ea35
SHA256 be0b89c1405eda823b8d8550ec0a0cfcc358ab83133a2d1d29366467ff56f423
SHA512 1b7ce15c112f5ae0d0fb0b1dded1fe4486ed32801d3be3a3393d3a9d0dcd16a348a17ec609e6b9f0f53d4bb3b49eb5e4541d24957ea225177f47006bda3adc6a

C:\Users\Admin\AppData\Local\Temp\uozzhbfw.0.vb

MD5 ef4f7eb172f75b02e9f90a0d94e974a9
SHA1 5481721f023b530bc9c65501e259de545af64f82
SHA256 d26f47ed81dbed6b6d6a2c8c35f233f0f9829003198550ea79e50aa47ab73a88
SHA512 f8d18dd5b57a61ea3affef4bcc046c755a5dc0112bf17227c94e2b506ecfcc7debcb7b6291c43ea0b0002ba5339251668874cfe44975b42a66693ba1a19dd4b3

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\RES1121.tmp

MD5 94dddfd0c0e280234f98efa0e911d5b1
SHA1 2e3056260610aa255306af39692924ab5f9f6ab2
SHA256 53793a05f5a4f630fce78872de0e41e8df2a3f7b5adaebbce0d367252df071e0
SHA512 a3e1f1b0ba4757f2d5444bdd0ae41a3675151c6f4afc5a7d04dd0fcc88e1c5588789eb675d18d5ac88456b4fe90cec59238c9fe21fc703789cb34f52d1d5c04c

C:\Users\Admin\AppData\Local\Temp\vbc1120.tmp

MD5 988c624cd3d21df4c9953b687d0104d8
SHA1 672e1728eea204899c269795d46f776a95af9f09
SHA256 91d408a8eacfd25a8c61fc07f6cd1a065b53b467feac69dc45376f285061b0c2
SHA512 2e19b76d17e8ddc4915d985a137f904ba7c4185c5d2477ff83a3801c271cef30749bc45fff6e86257967dd34ce57bc2a6a2a763ed9c5ab0a0a14955489c078fa

C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe

MD5 51fe6562a574b602020d2bed5bc3465b
SHA1 e578a53a4c027833417b7f240843e9dff541ee93
SHA256 087c7fca2d37ca08f53f128fc6c73970f0471e70e37819c40f03a258c0c1053a
SHA512 89c1eaef87504a5bc0e5edaa91202b6669ae83bf19015f06d602746146344f1a42f6347d2d35b38ed8ea4fe64be68db174485ce5454bd4e80bf52c7f64be6afc

memory/2664-23-0x00000000742A0000-0x000000007484B000-memory.dmp

memory/2664-24-0x0000000000AD0000-0x0000000000B10000-memory.dmp

memory/2664-25-0x00000000742A0000-0x000000007484B000-memory.dmp

memory/3000-22-0x00000000742A0000-0x000000007484B000-memory.dmp

memory/2664-27-0x0000000000AD0000-0x0000000000B10000-memory.dmp

memory/2664-29-0x0000000000AD0000-0x0000000000B10000-memory.dmp

memory/2664-28-0x00000000742A0000-0x000000007484B000-memory.dmp

memory/2664-30-0x0000000000AD0000-0x0000000000B10000-memory.dmp