Malware Analysis Report

2024-11-16 13:10

Sample ID 240408-zrvpzsbf92
Target 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0
SHA256 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0

Threat Level: Known bad

The file 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Deletes itself

Uses the VBS compiler for execution

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 20:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 20:57

Reported

2024-04-08 21:00

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2596 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2596 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2148 wrote to memory of 4112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2148 wrote to memory of 4112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2148 wrote to memory of 4112 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2596 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe
PID 2596 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe
PID 2596 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe

"C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\peyqrj5o.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E2F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41213723B7CE4C5DACA2D181F64FE652.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2596-0-0x0000000074980000-0x0000000074F31000-memory.dmp

memory/2596-1-0x0000000074980000-0x0000000074F31000-memory.dmp

memory/2596-2-0x0000000000D50000-0x0000000000D60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\peyqrj5o.cmdline

MD5 5a216974017482847e1173ddebf923c0
SHA1 144ede6c6347f9a580df03ec6e56d0fa27284ac6
SHA256 3370007520b70ffd1737cf9276e895c410356050c77136d2c4cb411579a9f1e2
SHA512 72954a16306b57e982025b4568769d1073641875acffbfc19b889b1583702ec4e35b27a2c321c162e0572060baa66806ed177af7426f4a87a85926626cf46d17

memory/2148-8-0x0000000002550000-0x0000000002560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\peyqrj5o.0.vb

MD5 2fade4e56662a80ec5b531584334c8b1
SHA1 a7281f32fee391b8e571eb9782879dfe85725649
SHA256 c02937ba4d58b1f5a0b0ea925c3ec57aa864bb5970a58ffbf561007fde1d6aad
SHA512 8fcc97a5c973f0d3d82a2d2bf9ef5f5eac3bcbe6d40af88fe918e02b09af5763f48e6684c7c2399c420372103bd657c7628391128fe90485895e3eea24ea80dd

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc41213723B7CE4C5DACA2D181F64FE652.TMP

MD5 d1b7eff95375eeb1a2e61b3a49c4ec20
SHA1 b415d745e1501b20239c7dbd5686f5554a6930f2
SHA256 0b30b43121b8b8a30aa3e9297eb2361e37d55aa582d3c279b0618675e2d5e790
SHA512 29d2be7d07e4923143a365f0a565fe5760e9554e4b05c8169246543bce370738c2df919068fd43e6aaa4dd81daf418cd3ee1cdd8c1f3aa38f6627ef6cdc7ee3b

C:\Users\Admin\AppData\Local\Temp\RES4E2F.tmp

MD5 99c6684879572f000a9d4e3ac83194a6
SHA1 b810fc679d74ab446ee08ee2cd0110884da6fb3f
SHA256 8a6304ae0835c4ba56b9b324e6d5ae759856b7e537877d54b41da4926a63a5d6
SHA512 d5b329bde0c9a9bb78d92cf7a1341d12ebc5157bbd2e63b72ce1d9ff857b6e026c5482e45319684322dcc17b6059644ec18eaf1c46d489b686feef9bd00ffdab

C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe

MD5 17ef610a75030ce7cf21bb881cb15331
SHA1 56a380fd672a4895744524a123ed259b046fa02a
SHA256 e2bc5dce3a85eeda0cc46783b4f5a16726bff570e405db34c20b0f1c72f7e6fe
SHA512 87944babb652eabfcee38b00ae6ffa9b4d3a1146a40dfe80a11f73bbe8521b4b57c42a71f7152a9ffb41a70a9d1f98c5fa311c604a0f5cf9d7a2113eb71fdd78

memory/2112-22-0x0000000074980000-0x0000000074F31000-memory.dmp

memory/2596-21-0x0000000074980000-0x0000000074F31000-memory.dmp

memory/2112-23-0x0000000001040000-0x0000000001050000-memory.dmp

memory/2112-24-0x0000000074980000-0x0000000074F31000-memory.dmp

memory/2112-26-0x0000000001040000-0x0000000001050000-memory.dmp

memory/2112-27-0x0000000074980000-0x0000000074F31000-memory.dmp

memory/2112-28-0x0000000001040000-0x0000000001050000-memory.dmp

memory/2112-29-0x0000000001040000-0x0000000001050000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 20:57

Reported

2024-04-08 21:00

Platform

win7-20240319-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2200 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2200 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2200 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1640 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1640 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1640 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1640 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2200 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe
PID 2200 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe
PID 2200 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe
PID 2200 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe

"C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dx6gioj1.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3ADE.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2200-0-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/2200-1-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/2200-2-0x0000000000290000-0x00000000002D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dx6gioj1.cmdline

MD5 0bc7d7beeaca525bfacc50b88107e019
SHA1 9faa7108d160445a3dc96e5219ffc8ac19589d67
SHA256 581f574e56cb170f4b9dfa5bc2d034ef561118f2cb55b72b76a5422693e5e607
SHA512 7ef32de564f8afb0c42a078f7d11d9b7fc85a0f4c222cc7bd3826996938dde7e20554a84118b2458411ad4fee659fa1785dcd779373d2c6c6ad0592727722555

memory/1640-8-0x00000000002B0000-0x00000000002F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dx6gioj1.0.vb

MD5 89dea00193b6fc0090abaa5b3d4048ea
SHA1 2bbbfdd7c1b29c06a1f87e2e32ce01cf3f1b5a59
SHA256 2642a8befa174d2529000518d0efcb28872588e5fb5c73df40e64ddcaffd23fd
SHA512 2aad1747b4cdae6cb20d167e4ddef7552d2188290271678504065dd550ab06ec51b0a61d9f61143c7d93fb0bcd6e8b7a8f888fc876335f5b098e276ffd5db1fc

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc3ADE.tmp

MD5 0f5de4148b83d89418a78816e69bb8d7
SHA1 1de400d24ae2c663e7ac87540209c3b22d3b2ce5
SHA256 96e5ad45be923f22b2b3903b3fa4f627dba12ee269cf2e0bdbbf7b166cfe4b80
SHA512 f475bfcf5f12e255e1d3d7beaf171b95ba1c56c2069ff8a26fb8e344fe219705b2cbfeb1b301df7cbe13acf2a2d1fe1000b03faea6773323948181d01a837ebc

C:\Users\Admin\AppData\Local\Temp\RES3AEF.tmp

MD5 fe14fa87a4f9a0640d6e73db7c17c0a6
SHA1 7bff7a28ea272e99a95ed267376b18ffc0a79445
SHA256 6f2f97b0e9adcab057f70a8dedaa3da482cefb69b4d29dfc2db0e42615f0a6f1
SHA512 b0c283bfb118519c3ddd1a3832bbe6a53684615162de1f0d70e4ed70fab210d3cd9ace5e979d6147c06d45c6c891e166bed5d55b7242deaa415eb783dd02e397

C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe

MD5 f365f15321401d1173ffd399e36e811c
SHA1 adca584023d4ffca46a64b5caa3e73d7510f5e94
SHA256 8125a1d8bc6cf5aaf9eef7a9c616918fed49f1a0e219e4fcdd3962f1ed1e3c38
SHA512 89179e006cb720d596dc64d9a79c5ae50f0070aed92a83d45a91be5dd43658d98e7a474ebbb46e25a1c8d71017375c0f433562f4d7508c169bc9497f5d0d9c0e

memory/2200-23-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/2160-24-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/2160-25-0x0000000000A70000-0x0000000000AB0000-memory.dmp

memory/2160-26-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/2160-28-0x0000000000A70000-0x0000000000AB0000-memory.dmp

memory/2160-29-0x0000000074B10000-0x00000000750BB000-memory.dmp

memory/2160-30-0x0000000000A70000-0x0000000000AB0000-memory.dmp

memory/2160-31-0x0000000000A70000-0x0000000000AB0000-memory.dmp