Malware Analysis Report

2024-09-11 10:24

Sample ID 240724-fmgssasdng
Target f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1
SHA256 f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1

Threat Level: Known bad

The file f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-24 04:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 04:59

Reported

2024-07-24 05:01

Platform

win7-20240708-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpDC3B.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpDC3B.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpDC3B.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpDC3B.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2628 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2628 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2628 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2628 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2296 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2296 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2296 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2296 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2628 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe C:\Users\Admin\AppData\Local\Temp\tmpDC3B.tmp.exe
PID 2628 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe C:\Users\Admin\AppData\Local\Temp\tmpDC3B.tmp.exe
PID 2628 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe C:\Users\Admin\AppData\Local\Temp\tmpDC3B.tmp.exe
PID 2628 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe C:\Users\Admin\AppData\Local\Temp\tmpDC3B.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe

"C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4u_8tgs4.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE20.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE1F.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpDC3B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpDC3B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2628-0-0x0000000074EF1000-0x0000000074EF2000-memory.dmp

memory/2628-1-0x0000000074EF0000-0x000000007549B000-memory.dmp

memory/2628-3-0x0000000074EF0000-0x000000007549B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4u_8tgs4.cmdline

MD5 4fdf7e70caf1be5e2c4b7deb1cc1730a
SHA1 e50bab44dcd2af6a41b105352ef9eebf74ad465e
SHA256 ecb20b701fa0e797ea1277f909e28311cd527967cea2d87a6e2a88c0de819a11
SHA512 154b64f6130917c04c8cd34f26a01cc6dea9a825b9749c8bf3e6e05e4bd1df9e4f3f75bfbb233fd4f8be4a7af46a2b17ac72d718b37f04d8f9c338a4c46c737a

C:\Users\Admin\AppData\Local\Temp\4u_8tgs4.0.vb

MD5 34f91d427367e80aae4c1efb1a2d0645
SHA1 3832144bf21fda73fd38775f07740e99a0c079b7
SHA256 5017bc19f9e59685c1a30ef062bdcb162f4c10574efddc657f546c3b81902e7e
SHA512 427974b878ad2c95b12455667d41e9ad29c1cbfcecaad18d53a6b770308e9e85e485c8f1005683108a498b3b73c5ad3292881b5502eaf28843139705e6911fed

memory/2296-9-0x0000000074EF0000-0x000000007549B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbcDE1F.tmp

MD5 e4dedfbe6b5db4630e9f72c0af2cd117
SHA1 fffe69c777c1bf4c914bd65cb585f06df8481080
SHA256 1bde20377664fb85d01c2af81e99e0d1055809c5b716820ff5d494e104c7c234
SHA512 7d0ea196826714e58dc6b93a53cc8931586d222ad925b8535e2987aae90257d6bb222976e2312a6ca9016fbb0c706033954eba57dede6822a25620f9e8ec3078

C:\Users\Admin\AppData\Local\Temp\RESDE20.tmp

MD5 c093b71502f29be16e9fa0a76076d81c
SHA1 18c90201d69e7a11f51e4a0b1a90061641225b67
SHA256 283cbc4ab3f4b7d603e4b53e9f2fdad5d051f09d6471d6403a79e7616193505e
SHA512 8035f5cf700a725be59d706f572130ef1b3b42cee21d15f3d46ae7a455e6a85587cbb08535b03599b8f25b94e223c55f682e79d5c7ff72d1c420ce2d8743c8ee

memory/2296-18-0x0000000074EF0000-0x000000007549B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDC3B.tmp.exe

MD5 1b220dd9912433ed1bac64875d11d8bb
SHA1 92fdc333098cfc406d2a3e0f9a2b851dee6595f5
SHA256 51b7ba6929d759583ed659876b46cc803a2e30b5cd52a26c3ee51129e534c45a
SHA512 0acd9e5cac58d583e2243ce08b6704b75bcba0ed4b97ee3c583b47d25b3370bafdeab028b4d35a38bc1bebacd9ccea6c00f13f43c7cf756657c33cc997ede3de

memory/2628-24-0x0000000074EF0000-0x000000007549B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 04:59

Reported

2024-07-24 05:01

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3096 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3096 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3096 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3460 wrote to memory of 3152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3460 wrote to memory of 3152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3460 wrote to memory of 3152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3096 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.exe
PID 3096 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.exe
PID 3096 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe

"C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jjt2m8am.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD30F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7A2D578840B42458F4C7CF74E587E8.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f73d98bffd37b8dcea7a04d716da4c09ea5611ea5b3de5eee95c4bdefb6109c1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/3096-0-0x0000000074722000-0x0000000074723000-memory.dmp

memory/3096-1-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/3096-2-0x0000000074720000-0x0000000074CD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jjt2m8am.cmdline

MD5 4b3e94e4f23825fd826fa5ecf0e02013
SHA1 e7cdef646f6d3e25dfa3a47d093a26bb3fc41a6c
SHA256 8d3ec21b97beed94bd2e1bfe1d46ac2ecd6656dba064e6cf9bea64c2863e80cf
SHA512 b7fbc3c919448d4241336a7028394ada6eb04908001f0af395a89ff9634adf64c2e29fe9a8d17ab6b6e2ae7b3fe8328dfb49b6b8f98c716385beedc5f3dc3216

memory/3460-8-0x0000000074720000-0x0000000074CD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jjt2m8am.0.vb

MD5 25434663a57ed75713058610213d949d
SHA1 c842c0c159ff0fb6863efffb11f8accb3237b671
SHA256 bda5728f5d480726935548116ab53e8ee4ba49654ba5aa6a40e640e6707f556d
SHA512 a55f0ce1e68b3fe50db794ade96525efadb2ed31a93b11656ec0a682d5b55833e445d74427b1d1c2f48e4b5c3d0b2adff847c7ef4d8690cf504b5dc5165abd81

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc7A2D578840B42458F4C7CF74E587E8.TMP

MD5 d0c8335d9bfefd2074202df4a729e3a1
SHA1 f15fae1163b54c9c9ecc5b444b3d53d3f075d74e
SHA256 31706f48cfb75bc5da66b47d47796e0b06fdb421325fd0b953e7fa4543802678
SHA512 dd883e669f3aa13b503af91aea5d5a1fa176332f89b184646865d75de8d6a5992f4231c4169b4da0a2e3d16459eb8f3be8f057165763444679733cd7442f5e74

C:\Users\Admin\AppData\Local\Temp\RESD30F.tmp

MD5 3b401dc17ce5caf641e78402091c1890
SHA1 4e2164c453faca4aa15cb30b7630f07a83f7524b
SHA256 8b9369d78fe66aa407ebcfcebc447ec0268a38cc69d8eede62c2b83887e0e9d4
SHA512 e8774a92aadaac7f3e963f315076edb794ba4e9bb65bcf2a20b096f5bf062b8aaff7b929923106804471637f4648f45c5faee21b69290dc24a96faece9766e70

memory/3460-18-0x0000000074720000-0x0000000074CD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp.exe

MD5 0222cd75b38371d8df1c7347c03c1d54
SHA1 e45bba56e6274121cffaab64ea844c5b471ab646
SHA256 fc6c82ee89f95632f88a895c825820c55397fb61a92947c820dcb9b28c4c0c32
SHA512 242270b3088587cbb9ef49d6795c60c8d2abec8fa158de89c2166e83b00b656e0ebeb242a8305c51dbb7fa2561e61ca413c28b72c42ccb7f77ce8ecf4c289164

memory/3096-22-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/4396-23-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/4396-25-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/4396-24-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/4396-27-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/4396-28-0x0000000074720000-0x0000000074CD1000-memory.dmp

memory/4396-29-0x0000000074720000-0x0000000074CD1000-memory.dmp