Malware Analysis Report

2024-09-11 10:22

Sample ID 240716-2n4vlatejl
Target 2561b7a1603462034ddf1da1bd2fed20N.exe
SHA256 5d029d827c3af7a0465416c60385d09c72ad34a600a6c1ba7e3ebf12d3ff0e22
Tags
metamorpherrat persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d029d827c3af7a0465416c60385d09c72ad34a600a6c1ba7e3ebf12d3ff0e22

Threat Level: Known bad

The file 2561b7a1603462034ddf1da1bd2fed20N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat persistence rat stealer trojan

MetamorpherRAT

Uses the VBS compiler for execution

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-16 22:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 22:44

Reported

2024-07-16 22:46

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 232 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 232 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 232 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5036 wrote to memory of 956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5036 wrote to memory of 956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5036 wrote to memory of 956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 232 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe
PID 232 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe
PID 232 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe

"C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gu0wwysg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB45C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc837E273DE06A46C7AEF2622A8885B830.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 44.221.84.105:80 bejnz.com tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/232-0-0x0000000074DF2000-0x0000000074DF3000-memory.dmp

memory/232-1-0x0000000074DF0000-0x00000000753A1000-memory.dmp

memory/232-2-0x0000000074DF0000-0x00000000753A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gu0wwysg.cmdline

MD5 2f1a97054f868935f7104987cdaaf765
SHA1 1c0c3eef53d3813446c14f44ac010cd81430bc50
SHA256 6e8a7f4fd2250ab75f988bd35135cb3b85d710093471e30813f3b888e65881d3
SHA512 6354ab7be509ca97f76057fefe4ab68b70fd02fdbcdae4545bac1f44f79294c696f43e83c1cb8fc79dff242cab578cb720db35a756b8cd60a6d8b60ac4584768

memory/5036-9-0x0000000074DF0000-0x00000000753A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gu0wwysg.0.vb

MD5 2a891c7779e816a4589248b5845e102d
SHA1 951206e71273a7e80165f3eb591c2498f7e1ae36
SHA256 3a5dfdac29f427b96dca7bfb1c5b705d1bd968c735b2cd0ffa21e5a89bbf3c26
SHA512 42174c8649964be4d5e3232a40eeea83b056f4353d25f3db2e1458c85f88a08c750188942391e9572ef7c2d2999d2e85e93cf389733f5b0fbb85045566d94ff0

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc837E273DE06A46C7AEF2622A8885B830.TMP

MD5 323bc8c8d1a1b5d33728f9f01db6ab34
SHA1 9e58ceaf69d552f137e9f7dad414b402ae4fefe7
SHA256 94b16f86326080303dda152a516b71c25f3548a71fd0efbc40e67299b3d04f2a
SHA512 d1233fd6c688df4f8b8a63813426008c622c8e60b9acf8e89540716bedc18cfa978761451f836678ce1982711635e3e088269522b688fc0b7cda9b655c95b119

C:\Users\Admin\AppData\Local\Temp\RESB45C.tmp

MD5 84bd34d1dfaa1ec2cd3d7a5b3a7cfead
SHA1 c3c775fa363aee7359d4823b318e34707a5f54fe
SHA256 7a0fece925c2e8015efa39afac8e1cc1cb2670ffb8a0a9ca387fd693cbd6311d
SHA512 f65f9aae2594f5c1b557f0ac3cacc6a512b6a1c509e745b9e8056b831c94c413fdf161bbbdca80e8d44743674ca9b53bdccf8a2682019f1b7270c501aaf1bb3e

memory/5036-18-0x0000000074DF0000-0x00000000753A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe

MD5 174b878cf321f33f817fdc678b8f61fc
SHA1 1da5557a956f9325dc1d588665725ad94e613d95
SHA256 0b2e652a06babc3de46c19523ed77719640afd24289f9542b8d7fa85e83c8cce
SHA512 66d9736b9f268649136a1782c136146e6c5bf8c5b23952ff600ef3af7951cedfd1b9adc8c5724aa53aa5e38a8718b0ac02d4000620a7ca497246b9295502d8a4

memory/232-22-0x0000000074DF0000-0x00000000753A1000-memory.dmp

memory/2600-23-0x0000000074DF0000-0x00000000753A1000-memory.dmp

memory/2600-24-0x0000000074DF0000-0x00000000753A1000-memory.dmp

memory/2600-25-0x0000000074DF0000-0x00000000753A1000-memory.dmp

memory/2600-27-0x0000000074DF0000-0x00000000753A1000-memory.dmp

memory/2600-28-0x0000000074DF0000-0x00000000753A1000-memory.dmp

memory/2600-29-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 22:44

Reported

2024-07-16 22:46

Platform

win7-20240708-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2420 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2420 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2420 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3056 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3056 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3056 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3056 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2420 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe
PID 2420 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe
PID 2420 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe
PID 2420 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe

"C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w2cdh77j.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4F4.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2420-0-0x0000000074C21000-0x0000000074C22000-memory.dmp

memory/2420-1-0x0000000074C20000-0x00000000751CB000-memory.dmp

memory/2420-2-0x0000000074C20000-0x00000000751CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\w2cdh77j.cmdline

MD5 b58ee7c72301282530c875b011d133b1
SHA1 3f581411183a0a47c654c8d623b4c5b4dc5c7cbf
SHA256 f22c24548d225507d55936db1bfb93cbf7c3202ee4029cf2dc76af144b0f735c
SHA512 c313f57286b17fb9dff46b868852c125d4a3fe9064b98caa7e94733d4f20552f6371cc2d2843483e510f50dd6f7ebfb1c2417885918d2fb877da0394799304f3

C:\Users\Admin\AppData\Local\Temp\w2cdh77j.0.vb

MD5 4e96b0edbfd33ce2046ff57c7e129961
SHA1 a6b402fdf2d556b9ad36ff19d3370b524f25078f
SHA256 0dbbcdba3e21e41fef50e986e4b14e6473fd877c56e97c6358660f275785464b
SHA512 05fa3d742cb0627dfb53c8a9ff7a30bd94d9865b02b23791a9df70af9cf08f82e73bde7e1306fce9b11f0b21edf9ea1cd91b7585ce2a259eb8f29a3d2d4dc8af

memory/3056-9-0x0000000074C20000-0x00000000751CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\RESC4F5.tmp

MD5 5396a6867178ec873a350c83e08fd6de
SHA1 df822d77fcc803db1ce8c63e7f44e60e97476883
SHA256 6f4b48a0af9da97afbf4c2e036583702187a7a9eabd7fc6dbf79199623b95dc7
SHA512 0b217dc0bbc800eea8001530cb6d75f7af1dd49a9ed29e88045b86c2d0f7236549106e92c0beda2d34613d603eee21dd0a950eb092d4900caab53a3cd59af174

C:\Users\Admin\AppData\Local\Temp\vbcC4F4.tmp

MD5 e64f9fa747851e9215931ce73618b274
SHA1 8fb41ad49cf070609473ced2a985ca930d68d559
SHA256 332b5d6fbbb7d311ad130384d4ffcb8a2ac08b9ea8699eb0c626d6b9bd0ed7ae
SHA512 73618c3e3202d147e93c81951cfe7f30f675322ef41e92bb98cdd4dcb4c0299935b619e382beaf00deea7140fb506bccd54bb6b44de42dc4a29d098197bfe8ff

memory/3056-18-0x0000000074C20000-0x00000000751CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp.exe

MD5 897448f51a8a3f0d26da66d14c11cf06
SHA1 2e704c0382404a7dad92d5ead13d59a8fecbecd9
SHA256 d6c819f1bdb2296e9c5fb4dffce7a5531fdd337aa479b3432a3242a78df0e0eb
SHA512 4ecdc80986c8d1451953c4a1dd6e4e05df94e88a454d7fde140121fa22ed629723fd6df155b3ea88e7edf8e8aed5df17cec651b5997fb116fd4e371e4c90766c

memory/2420-24-0x0000000074C20000-0x00000000751CB000-memory.dmp