Malware Analysis Report

2024-11-16 13:11

Sample ID 240408-cez3lsdf34
Target d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e
SHA256 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e

Threat Level: Known bad

The file d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 02:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 02:00

Reported

2024-04-08 02:02

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4004 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4004 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4004 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4020 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4020 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4020 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4004 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe
PID 4004 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe
PID 4004 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe

"C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zggyny_a.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9877.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12D51EACE16D463881A9B7152B4CB0.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 tcp

Files

memory/4004-0-0x0000000074E20000-0x00000000753D1000-memory.dmp

memory/4004-1-0x0000000074E20000-0x00000000753D1000-memory.dmp

memory/4004-2-0x0000000000DF0000-0x0000000000E00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zggyny_a.cmdline

MD5 3f32bee5d01ba8c9221fc86cc6abf01b
SHA1 b91abfe88437e02315ed274585aaa767a0d6041d
SHA256 3b3c17f8e2bc00364fb028d0a6f0e95434b3241107659147c757f375e5047e42
SHA512 ce01bba628d758573ac2a4a919199de931d9f72596121dfa223fc632ae5a73ea2fa75c457efb622b6da3697a4f115c3d452f91f543fd53f15c0e71009378e143

C:\Users\Admin\AppData\Local\Temp\zggyny_a.0.vb

MD5 c87e312addaca667a248342317ee43e7
SHA1 2bb285f770ad6ebfcee602d98a86796e4092ba3c
SHA256 8b2372bcb8eed59383af9ed5fd783ad9eb4b63df7e8c7d2f7dad8a561579d927
SHA512 e6f83cb0c0e4a38cde032a56e9b0ba06b561489e15d72667fe149e8f9d08d7f30487bd8ee85c870525dd9fcdc95b11be9d6ddf32ab6f5ce87612db5339970a9d

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc12D51EACE16D463881A9B7152B4CB0.TMP

MD5 80bb7da641b09eb99e7708c259239a27
SHA1 bb3f1d5713b551ea38c5c792402b2911513d7aab
SHA256 22c243aee2e8022b9b4cb0860e9eb499a8818eccf65ae97d273e6a7a855bc6d1
SHA512 f5c40f6f62c3839a419c9fa985c1b0edc69d0e9def8fe511447e93ba9d816da13472d22813d68a42884eb4d369b3d7274c9322fedea48c810c1e9c95bb4d5abe

C:\Users\Admin\AppData\Local\Temp\RES9877.tmp

MD5 cdddd359871468d1c085087170e488b1
SHA1 51e4ad0121bd2a3210b615d541dc51f8c7f277bc
SHA256 8451552219b08b881c30eae9a31a24ae02ccdb43d69c40d59ec7391749607751
SHA512 3bf7e6a5c1fe38d3745bbc9572c9673a87c74eba8cdca2614684d3d480fe17d4648529eda75da712ec4988866799dc529b0ed375c93c334bd5b377a1673994a4

C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe

MD5 56d63316eca2de05b3c5101cc49a02b7
SHA1 0f7c055941e1527b8d6637e669ac54244d43a652
SHA256 bd3981369cf2cc92f7be09865f1ebdfe3dccccc89489fab5ec5448f111e7e46d
SHA512 e85ae7f3510bd889a12035c90c79d7b049658a57fbc9ec583758c11c46567aa320276b6cc8bee5af0ae1c4ef19b10e9dbe67959c2c2409d0652ff9dfc802750e

memory/4004-20-0x0000000074E20000-0x00000000753D1000-memory.dmp

memory/3100-21-0x0000000074E20000-0x00000000753D1000-memory.dmp

memory/3100-22-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

memory/3100-23-0x0000000074E20000-0x00000000753D1000-memory.dmp

memory/3100-25-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

memory/3100-26-0x0000000074E20000-0x00000000753D1000-memory.dmp

memory/3100-27-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

memory/3100-28-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 02:00

Reported

2024-04-08 02:02

Platform

win7-20240221-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 804 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 804 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 804 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 804 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2992 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2992 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2992 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2992 wrote to memory of 2996 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 804 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe
PID 804 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe
PID 804 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe
PID 804 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe

"C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mj1d4ouw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E38.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 tcp

Files

memory/804-0-0x0000000074F80000-0x000000007552B000-memory.dmp

memory/804-1-0x0000000074F80000-0x000000007552B000-memory.dmp

memory/804-2-0x0000000000320000-0x0000000000360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mj1d4ouw.cmdline

MD5 c995ffea880ae5effe711bcc31a67526
SHA1 f31c9c9957a34457a177e4c572b683e4205c7b7a
SHA256 5d2c914f5902cda377495a9bc2a8e1ea192f162a5e2e5f311e42165c22d45e16
SHA512 ab7d90b6615a850de599cde5a2a97cc4a80c98c523f3674f26b46a4a0b9636087214d375c2335f66beace1bd238215d673e14f79ca9e3d04f4ba4fc623b30203

memory/2992-8-0x0000000001F30000-0x0000000001F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mj1d4ouw.0.vb

MD5 4548e12a02cc1f752616bdf4a8b8e88b
SHA1 bed243f51575293e2654ec7729129b51f832d906
SHA256 4ceef0f0184b6ce9b4bb07e3294b29f83bfec7eed2dcc80146726bd74b5c95c4
SHA512 b2e7ce15e3fb4b381c081d68b116deadc072dd2543aefbae70ef1de2f7154c7acd720e093ad5f5725cba0ed47626993ebc04eb4037535d740798ad873bed7bab

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc3E38.tmp

MD5 e4f239da4b0f43dc254b23cb82a34001
SHA1 1d121f58e19e72228e4c1ab4149481efce89b5d2
SHA256 f141b19efefe27dc43a2873232e439f6e020f8233939eaea80738b3415418f81
SHA512 a43bade9bbdd661191490838c0191039b017d9ac769b289ecfcc088b784751ff41ffa62c89b3c002fdc81cd878d8fc5fd25046320aa05f82b154fad66f79ced3

C:\Users\Admin\AppData\Local\Temp\RES3E39.tmp

MD5 8554bd7b09032d6b48ec37d91202c925
SHA1 63675c1fe055e9dfb960db9ace6637169a5a2527
SHA256 6b75a90615cf9ff51d4b4cdb2ce24967bfef84cc63f7d617d73a458a3f456dc6
SHA512 51f4051d5f7fc869af824e71429921eddae77b43474c738861d9a31d1e736b7002223c284ac7fe16037b19f7355eaefde899d023e03fb19d8c5aa8b7712a5c45

C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe

MD5 1be6f1cd434fa65f852a86340bbe6687
SHA1 e5d0a45ccaf55d3697ae4dad17b59f38b66ce085
SHA256 0f4d3f49e93ad5e9ff1a1e788c86bf8ad5f411680730b96d09df07a299f4df15
SHA512 1cbbc69dc6b46c6492e2cd0e4ed226427bb7aebfed194a6631fda4baac9b6fee29b10e078d63d0686c8f1e85be95324f817252327f8e50818c6280927270e550

memory/804-23-0x0000000074F80000-0x000000007552B000-memory.dmp

memory/2508-24-0x0000000074F80000-0x000000007552B000-memory.dmp

memory/2508-25-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2508-26-0x0000000074F80000-0x000000007552B000-memory.dmp

memory/2508-28-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2508-30-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2508-29-0x0000000074F80000-0x000000007552B000-memory.dmp

memory/2508-31-0x0000000000540000-0x0000000000580000-memory.dmp