Malware Analysis Report

2024-11-16 13:11

Sample ID 240411-w1nfgscf4s
Target 0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9
SHA256 0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9

Threat Level: Known bad

The file 0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 18:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 18:23

Reported

2024-04-11 18:26

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp42B6.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp42B6.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp42B6.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2932 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2932 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2484 wrote to memory of 3744 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2484 wrote to memory of 3744 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2484 wrote to memory of 3744 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2932 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe C:\Users\Admin\AppData\Local\Temp\tmp42B6.tmp.exe
PID 2932 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe C:\Users\Admin\AppData\Local\Temp\tmp42B6.tmp.exe
PID 2932 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe C:\Users\Admin\AppData\Local\Temp\tmp42B6.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe

"C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cqzzydlq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4391.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA5F96708A9A54E168484431D2737D79.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp42B6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp42B6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2932-0-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/2932-1-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/2932-2-0x0000000000980000-0x0000000000990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cqzzydlq.cmdline

MD5 0a2b6f9a94c469ebfb967ef0ec52374e
SHA1 cfcc0469cc7e8a39d4defce21f7233d27355c322
SHA256 ffcd63d56ea1bba07e7807dc082e7feac5993d47bd46d0b1ae0c5f6fa645b070
SHA512 944b3c80d24f77e133b616c26ef388db6a9cf5f5d289ef33d1e3fd5b9ca00dfbbd2ff19be71673c274f612c8a33e76f25b04812bf6120e4b320b66aeb822dbe4

memory/2484-8-0x0000000002480000-0x0000000002490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cqzzydlq.0.vb

MD5 153f881f97eb6cb7e1f079b5bfada3fc
SHA1 b428a142705b6bea3b3ccca9cd4939fef26a769f
SHA256 3f544f7fcb359b4efb3c56f19a33af94de9dea085afbb623e6f761c8c6879d97
SHA512 a4277d08c29fdf3d0bf558cf4bc96d7852f2fee3a54d91cefd81f90d61c66bf57d2538ec1c9bb2a0b55a8600bfd3c3cbf14a44756107d8e641db35039346c631

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcA5F96708A9A54E168484431D2737D79.TMP

MD5 c05bc58ae3119f04897189023ba593ed
SHA1 cd496174aaf67e0deaa216de1d7b974facba04ae
SHA256 0111f91fc70d9bc1635284d380ce55ce2e794178e68e2c7fa5bb55657f0d2506
SHA512 f6d9be2810e80b34d3ef2e272ed3c492af73cad0992c75e00bc6823114101258136e2d757ed7a0f5ca6797994a34c99873a54279c383f38265c2da142d800751

C:\Users\Admin\AppData\Local\Temp\RES4391.tmp

MD5 b3e8bb9fd6bf6571a30e742af0062e72
SHA1 2f542ad2f01181fedd61bb555181e810534d32aa
SHA256 aa87ba4cdf3b31ffaafe5e03faa630e2a831f724085ff5d8d7b60797fdbba68c
SHA512 431de4683bb6cc7c13efb9fc15703f8f5d1e74077cdb7dc35d35c697fe533d843389d8bea6f818a694ba45058eb2cdce4b8368385e8f3b133930b72251f03c20

C:\Users\Admin\AppData\Local\Temp\tmp42B6.tmp.exe

MD5 a3ebf2320ff32404b19f26e4126db7a1
SHA1 51ed1df4da4daa098027d6e7150c206d12bdf492
SHA256 99295e17b7b7388498512f50ac70fcfee6016016c84696856f9d06ce232d9f78
SHA512 d5b48cc4bcad1729d4b68d7a86f96a8800a41f94a74cfb3acc11275c90c7ab887ce43c6f2bc4b9a826f81e2ae7af371f7cdf6f83bac987782cdc92e2bd73a9d8

memory/2932-21-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/4672-22-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/4672-23-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

memory/4672-24-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/4672-26-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/4672-27-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

memory/4672-28-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 18:23

Reported

2024-04-11 18:26

Platform

win7-20240221-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2232 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2232 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2232 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2516 wrote to memory of 2624 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2516 wrote to memory of 2624 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2516 wrote to memory of 2624 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2516 wrote to memory of 2624 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2232 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe
PID 2232 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe
PID 2232 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe
PID 2232 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe

"C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aak9jdjy.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc55FC.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0895c29572a251d7d7c72ade31752bc1d8b8a92c70a81e25b3c4643e2f79a5d9.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2232-0-0x0000000074C80000-0x000000007522B000-memory.dmp

memory/2232-1-0x0000000074C80000-0x000000007522B000-memory.dmp

memory/2232-2-0x0000000000280000-0x00000000002C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aak9jdjy.cmdline

MD5 2db497eae862e4ed087a502c1906108f
SHA1 318fd4d2552bb84894a4d12ad6c78f2f755fbcd5
SHA256 afd77fec880dd24248a353e19bc84acfe875db89c654c4c69967307794694a5a
SHA512 e8cbfbb9492d4938e1495434db7299834f8e051018eb9c81cd0efae7cc41f442833a4ff51ef41f6c72c917a704273270db7066b0ca0bfbc32abe9ff449d39f67

memory/2516-8-0x0000000001F20000-0x0000000001F60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aak9jdjy.0.vb

MD5 3571f63e56e20e91eb5accd34c2acbcd
SHA1 4be34fe660a094070d53e7820f23ab95af51d9c9
SHA256 b5e6a31c92d33e46016722c7504668d1ac7ca148df5148326013dd179485dacd
SHA512 aac56f48467a9a075ed44660e8b7dc0feef4d4aa4d56b8f03cf90be728a47b2e07d03ef3eab421b749dc7b5f1def021c7612db6e6ea0d2e0b036ab239443f767

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc55FC.tmp

MD5 ef7452658bf5b0bfa0b3345a7b24044d
SHA1 dcaf020d860794d97be488b390736d65c279f577
SHA256 09db5ddbb830838252dc505b6b2b99d61534af1098c09f859097ac5e324fd0c3
SHA512 0e81d6aad68a31face65cb1f6b8208f9f7a4bbc1196745ac979c4424e88cab348b546bb74183056a8ee72fa123da9ec8213b0af1a2a828bf82edf7f242281b72

C:\Users\Admin\AppData\Local\Temp\RES55FD.tmp

MD5 1dd2eeb40b4e5dc9f3453b1bc13165d8
SHA1 b90defba4c1ba018ae005d4760542d15be4c2861
SHA256 db8a417729fd7ba0a1c2a7ffbe73dc46b22ebcc9d9b4608e156b182a7786fe02
SHA512 4c4afb530db8b5befe6efc6a5253537e2f9b45cc2b7521f9ef256eb08124b9096e7da2ecb4d5d9ee33fd84acaf480a5948da00c5a1f401e79a83cff2b69a5657

C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.exe

MD5 ced27d14daf34a192b1208874a43824d
SHA1 189402d481739151f3257cf5cbc4e4f1440509c1
SHA256 4f2b7d1535fcc06ab20c9f066edad43b96cd123b7a7cab22f328496c996907b1
SHA512 b1542cda5c9a514425af59b563a7dfea236a2a47c2cc82429c528457689f1d33247adfe60fd8fd494a42f0c490702a543f4637cb7f61bba81d21086a9190d846

memory/2548-24-0x0000000074C80000-0x000000007522B000-memory.dmp

memory/2232-23-0x0000000074C80000-0x000000007522B000-memory.dmp

memory/2548-25-0x00000000005B0000-0x00000000005F0000-memory.dmp

memory/2548-26-0x0000000074C80000-0x000000007522B000-memory.dmp

memory/2548-28-0x00000000005B0000-0x00000000005F0000-memory.dmp

memory/2548-29-0x0000000074C80000-0x000000007522B000-memory.dmp

memory/2548-30-0x00000000005B0000-0x00000000005F0000-memory.dmp

memory/2548-31-0x00000000005B0000-0x00000000005F0000-memory.dmp