Malware Analysis Report

2024-11-16 13:11

Sample ID 240409-clhrxaeh4w
Target c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8
SHA256 c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8
Tags
persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8

Threat Level: Known bad

The file c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8 was found to be: Known bad.

Malicious Activity Summary

persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Uses the VBS compiler for execution

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 02:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 02:09

Reported

2024-04-09 02:12

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2016 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2016 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4724 wrote to memory of 3968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 3968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 3968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2016 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe
PID 2016 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe
PID 2016 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe

"C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lsm3r-u8.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3014.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA4A77059CEA48DE8010A8891E663D8E.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3916 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.204.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2016-0-0x0000000074F80000-0x0000000075531000-memory.dmp

memory/2016-2-0x0000000001480000-0x0000000001490000-memory.dmp

memory/2016-1-0x0000000074F80000-0x0000000075531000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lsm3r-u8.cmdline

MD5 726a0fe4a0164edd8067faf100ed6d45
SHA1 1d7a119c18cf5ddd3a9e1b2ba9e0ca4bbc965697
SHA256 457c680a809f87dcf5ac93930386a7b6bdf57efd767dddf81814c37772dff0df
SHA512 591a57ff7959440076c6a553b008c87d4da6429e9dadb7685f70cf498b77e835cd346f05dc2ae59c377e3e7baa679246daf0384e8d3e0d9b193f54492670afb7

memory/4724-8-0x00000000023A0000-0x00000000023B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lsm3r-u8.0.vb

MD5 d708da0c29f9474e8e22c5db48dc71a1
SHA1 34c63cde8d71692041a82068a91676485ca608ba
SHA256 4eadfcdb7e45de848a8230f262a18d5022f3a76234d0acbdb3c0282e40c3bf63
SHA512 fb8ed3cc966d93eaf912652d1ced0f84f2d49e7ef5188b43dc8b9f01fbcf9087d14d2a459fa60f76fbffd723b96b760404ce320c8cd51bf2895f02af8f9bcbdc

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcAA4A77059CEA48DE8010A8891E663D8E.TMP

MD5 987521b850d84d38ddb9aa5dca34ff3e
SHA1 67c1a75c30393198dc8884f541e8a42077e7ca10
SHA256 9d54d2361766d1b6bd33dedaea0f59cfab3c1c56ae7ef15e44093031d300a64b
SHA512 755ed39969c89ef7ad00dbe8543d3b2efa84a04d3f6092f6a1fe781738b6d17220c77da56e3b77a1dff4ee95bd2c00e99f7cf1c9d0cb8207fcdaf945d55214d7

C:\Users\Admin\AppData\Local\Temp\RES3014.tmp

MD5 9cbd1272a8a5a42b5def9ae89262ac57
SHA1 f5a1e2d5151efc6f037b741f20f74c13cbe5d1a2
SHA256 eaa0c20ab16b61344aae2a478d39d18c40e22971f9b996399cac3dbf3312f979
SHA512 de9c349337916b69f5b0f2f54e8242a078c2c364cb87eceb77c46329f180bbdc75ee8183a9ebe628311ce55e74b2902ae65581e1d4ab62c38050ea3aec5b2047

C:\Users\Admin\AppData\Local\Temp\tmp2C7A.tmp.exe

MD5 a130bd0cd942dfe564d26efdd77cf1aa
SHA1 7fb8e0c4f952967f6146860f073c1161a8fbe709
SHA256 8b52496a2d3c95d7177cf58dde2446fef5b264d4af2cc022668d0838f6c3360b
SHA512 c627c5f3e05922e7d739e703d2e35a51efa9148628fecff2085cc8accd0d62fe4291556ef4b4538acb64e43de6231c07082414d6769ade0788e66f6f04f6592a

memory/4956-21-0x00000000010D0000-0x00000000010E0000-memory.dmp

memory/2016-22-0x0000000074F80000-0x0000000075531000-memory.dmp

memory/4956-23-0x0000000074F80000-0x0000000075531000-memory.dmp

memory/4956-24-0x0000000074F80000-0x0000000075531000-memory.dmp

memory/4956-26-0x00000000010D0000-0x00000000010E0000-memory.dmp

memory/4956-27-0x00000000010D0000-0x00000000010E0000-memory.dmp

memory/4956-28-0x0000000074F80000-0x0000000075531000-memory.dmp

memory/4956-29-0x00000000010D0000-0x00000000010E0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 02:09

Reported

2024-04-09 02:12

Platform

win7-20240221-en

Max time kernel

164s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2384 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2384 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2384 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2512 wrote to memory of 1720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2512 wrote to memory of 1720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2512 wrote to memory of 1720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2512 wrote to memory of 1720 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2384 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe
PID 2384 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe
PID 2384 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe
PID 2384 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe

"C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ktxuntmk.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc84AA.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c3ead0cd7e949eeae49a7e66bc3a8d90474269b9c95549ca539bc79436ca5eb8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2384-0-0x0000000074390000-0x000000007493B000-memory.dmp

memory/2384-1-0x0000000074390000-0x000000007493B000-memory.dmp

memory/2384-2-0x00000000003E0000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ktxuntmk.cmdline

MD5 a494b15c2fab7eae176dfeba0b822cdd
SHA1 d38858d886ccf04d0062d9642d5a53e3c80ff2fd
SHA256 78ca1eb9cf72a3f738cb9cf307a9f692f95d526f941d877bc1eda0f659f218ed
SHA512 ff7a58aa6941bdaac3a5d4509cdc25b2480f72df0c1be857be5155aef5f2294531d2e6ad54a25bd3eca482947f4085347ef6f40cb0e37ada10bde0c12fa8cfb4

memory/2512-8-0x0000000002170000-0x00000000021B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ktxuntmk.0.vb

MD5 953f6c67d08b4d333c3759d378a5641f
SHA1 1ae407bf31638381a68a228c7c09285b83ab11d4
SHA256 3dc4e6db044277178980dbb77ca56cbb7a9ffb5c2d8b7d8cbb6bd31ac42092f8
SHA512 cb7ff6a5c5702a5026188b61cc6d1e84f83e41bfc473f48645681b46f9f160b40833a59cd103c25404db4b6b6ede5dd27ca19d175307ecd9d34dabf5e27a62b6

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc84AA.tmp

MD5 1cfb72f50fa71e1b6ebd022f5b81542d
SHA1 d649149779a9c6187d9bc6599d3e948bc9f35503
SHA256 349771d1a16bf90e09b51b05d33737a1de0a0671876c59c8884b1a9cf992ac75
SHA512 969d427914705dfa97b4b014e6295f016e75dd3c9ae98099a1555ce9808dc859c6dc80f96a9306e7afd60a877a9b29d3820b415780ae150b464dde09eed765f5

C:\Users\Admin\AppData\Local\Temp\RES84AB.tmp

MD5 b2a397aacc6ee25fab9a620aa0638fa6
SHA1 6a077e55d5dd1d0e2b033e7f9caca726ff98d64b
SHA256 36a545ddc9c4755c3bb2ced00c8e97f82d022957056056211937e22c461832f8
SHA512 b3876b8915a14713d3eb6b651ded5e427426afc07357f08b3c5be38b7001e99d8de056c0068fcec74319c195c16bb77e242c37743ff66f7615c6fe63e5aad805

C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp.exe

MD5 79c646a46d0a343f772de78bb33fee4b
SHA1 2eb805e58dfdd32bfa97bafe8a252a7476245a8e
SHA256 7b63b7118d33621456522da6a9c51cdfab79d3a60f7a1f5e11a487bc7159dfeb
SHA512 bb7b32515786d936ff55bd172a67ce3d2efe15608491e135a0fc5aeaffddb336fe6b9ed25b442b8500cc3220f6e444534fc986670ce3e63513d1c5708c5c4cdc

memory/2384-23-0x0000000074390000-0x000000007493B000-memory.dmp

memory/2644-24-0x0000000074390000-0x000000007493B000-memory.dmp

memory/2644-25-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2644-26-0x0000000074390000-0x000000007493B000-memory.dmp

memory/2644-28-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2644-29-0x0000000074390000-0x000000007493B000-memory.dmp

memory/2644-30-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2644-31-0x0000000000540000-0x0000000000580000-memory.dmp