Malware Analysis Report

2024-11-16 13:11

Sample ID 240411-yy3thafc31
Target 37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75
SHA256 37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75
Tags
persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75

Threat Level: Known bad

The file 37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75 was found to be: Known bad.

Malicious Activity Summary

persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Checks computer location settings

Loads dropped DLL

Deletes itself

Executes dropped EXE

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 20:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 20:12

Reported

2024-04-11 20:15

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3620 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3620 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3620 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1624 wrote to memory of 3912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1624 wrote to memory of 3912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1624 wrote to memory of 3912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3620 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe
PID 3620 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe
PID 3620 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe

"C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o-ee7csm.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES351A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1EE53906AFA644C7B172EE3D1EDF3E44.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe" C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/3620-0-0x0000000074B20000-0x00000000750D1000-memory.dmp

memory/3620-1-0x0000000074B20000-0x00000000750D1000-memory.dmp

memory/3620-2-0x0000000000D40000-0x0000000000D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\o-ee7csm.cmdline

MD5 9c6a0203a4b3461c0720284b814b76eb
SHA1 5ac669e08ddc082ce08f4c9dd5684fcb5b1997ae
SHA256 b1c54229484f55d5beeb4891f30398d292d4b036432d16cefa58f5d0e8735455
SHA512 d03fd1afb2d1623093e97865e34fd92627871dc560701d78b143e35429e8107faeba261383a323b3201188b2a23b94238b0fd136f7f86a9489610a9395ebcdec

C:\Users\Admin\AppData\Local\Temp\o-ee7csm.0.vb

MD5 b549faf7c5e818186309aeb1690e86e2
SHA1 bfc123028a7bdc475b00ced6aea89e35047502ab
SHA256 6307563bf11b7192945cad093c49670269e4d2d719b96568b9a181e7a62e97cc
SHA512 fb14040c7a402d4acebb9aebb4ef3917d0e27759e47eb43f9ab31b1d782635fe411eaa408ad614a8937d1e1c050d660c0bb9cfd9a620823965496500563c1352

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc1EE53906AFA644C7B172EE3D1EDF3E44.TMP

MD5 baebd8470b803cb883daf989aad86caa
SHA1 cd4aa97bb181a2c560cdff07e3ec8dfb932d2d9b
SHA256 af3e47c7be9404acf8e496f6f6b7dbfa303181f3d6e01f576751e93e05fec426
SHA512 fb3672a89875c2c6d6ad0f65f311ee80be9680baa851cad4502b425e079cd29c9357cf5dadd0f98e86c094ee15bc85f1fbbcf279cda155bb7e0a18a5d415c305

C:\Users\Admin\AppData\Local\Temp\RES351A.tmp

MD5 152d046919ddf6a5a85215821ffca61b
SHA1 4d1fbd8b57e367c561ed08e3897e47ce1f042b68
SHA256 ea1f817246bdceb0170117cf7edc414002546c238653e47c3f53f31a128d4335
SHA512 f37aed3e5e6090a9e1ca0916018994a7d3d588d4e17743efc50cd3bd1d551dc52696c63bd4e652f1574cff3eb9810053527572b35bcf4afc91aca4528c8c32d3

C:\Users\Admin\AppData\Local\Temp\tmp3400.tmp.exe

MD5 fdd1d7b83256fd8efc87fbaa944515d9
SHA1 2ae38fd1cb2379363a7f5b0162308f3da56e6ab9
SHA256 bd9b950f77983fc5f37fa61fac42654349b47be840a4fdab91cff2db149366eb
SHA512 4fc110d3b9c157c0b62d1b3ec2c289c2450db88cb671bbd7e5d1e3b871ba7ad6f8f1bfccfa82fbebee791c51a46949099504e55c03ee5feb5d71994549fee4ad

memory/3620-20-0x0000000074B20000-0x00000000750D1000-memory.dmp

memory/4856-21-0x0000000074B20000-0x00000000750D1000-memory.dmp

memory/4856-22-0x0000000074B20000-0x00000000750D1000-memory.dmp

memory/4856-24-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

memory/4856-25-0x0000000074B20000-0x00000000750D1000-memory.dmp

memory/4856-26-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

memory/4856-27-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 20:12

Reported

2024-04-11 20:15

Platform

win7-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2372 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2372 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2372 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2612 wrote to memory of 2648 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2612 wrote to memory of 2648 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2612 wrote to memory of 2648 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2612 wrote to memory of 2648 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2372 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe
PID 2372 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe
PID 2372 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe
PID 2372 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe

"C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uluwpauv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CA4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C93.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\37e611cb4b71e83ad9ee94362a0348d478a7c21034db728fdf432dd4205cce75.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/2372-0-0x0000000074810000-0x0000000074DBB000-memory.dmp

memory/2372-1-0x0000000074810000-0x0000000074DBB000-memory.dmp

memory/2372-2-0x00000000021F0000-0x0000000002230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uluwpauv.cmdline

MD5 1eafcd0ce5515ecf148c45f09dc1ffc4
SHA1 700ee5d80f16e52f01f1563c1fe423dd4c85c5c5
SHA256 e4b46457121292e840bbcf4c9f8fb6af1b9168c082d0b6c8c27f4a6256edb555
SHA512 55010472e1e0eb0c17b17757c5debc87d1ddd2e88376721cb506f93ed54ecd2ca02464771f186e226575877471bf281f4ef8021b91d5855531a53728093defcc

memory/2612-8-0x00000000020A0000-0x00000000020E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uluwpauv.0.vb

MD5 7c8ebbd30dfe79d7bbcdf8d98e82a6cc
SHA1 cb0cf6998583999f677a5240b363338bbaf74efd
SHA256 cfb730692da6973791be07ad6ff94143a48776117290ee44b9351f797014149c
SHA512 9db76f0e3a617bbe30f61a9d244078394214c622b699dfb9388e2d0a76807f063c6e72a36f5825474b6719a2af5f3e7b1fed4fe00ed0898bb1f21df0b9d374a0

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc3C93.tmp

MD5 084adcc1ad62912808ae4cc6a54be6ab
SHA1 6b0a1d1764ef8c0866a9aeb3e14f1b69630f1229
SHA256 e71882aeb39405315ababb30dbc353a7005217e1f59e393018825cda967663da
SHA512 a9801c960516922ae1cff9658796801e2ec2d1fffd5d53efbb49cdd4dec61358ed75c1392ce3136fcb5d6082d80e05de46ac69d808c376e306664df383b1868e

C:\Users\Admin\AppData\Local\Temp\RES3CA4.tmp

MD5 d46414bd1f57e51e9887d979eb6d5754
SHA1 9eeb54b411e9bbedfc4076b4315ef78bcd71a47a
SHA256 8772453feda3cc849e2f8a0036d5f5f180745fefbcbdd15172d9a38f01d5617d
SHA512 542fbbd6ed3596ca1a76fa3b7ec446ee494eca8d08b6e79fc7d19e062b35c0353b946ff1637cf741f221b6730060517a63cd53c4aa4d85a0a21041b59b0a357a

C:\Users\Admin\AppData\Local\Temp\tmp3B1D.tmp.exe

MD5 4beeb6f8121052613ec4cba2423320c8
SHA1 ea6dfad02d11b31091eacf8980ac18581b5cd937
SHA256 64ce53392a7585fe31664464cfca8e3ae2375c4b6d4ac987c5b8fd09957d5bb9
SHA512 901346d30ded2be3f703ca2325b02ee2c779876f800d5f0ab662543c80c87a7484e70386d4a521e17a38edfb8e6c134618d6dfaf606a9c851a3946c2f4a19aa0

memory/2372-23-0x0000000074810000-0x0000000074DBB000-memory.dmp

memory/2588-24-0x0000000074810000-0x0000000074DBB000-memory.dmp

memory/2588-25-0x00000000020B0000-0x00000000020F0000-memory.dmp

memory/2588-26-0x0000000074810000-0x0000000074DBB000-memory.dmp

memory/2588-28-0x00000000020B0000-0x00000000020F0000-memory.dmp

memory/2588-29-0x0000000074810000-0x0000000074DBB000-memory.dmp

memory/2588-30-0x00000000020B0000-0x00000000020F0000-memory.dmp

memory/2588-31-0x00000000020B0000-0x00000000020F0000-memory.dmp