Malware Analysis Report

2024-09-11 10:23

Sample ID 240726-f5nn2ssbqc
Target f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff
SHA256 f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff

Threat Level: Known bad

The file f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-26 05:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 05:27

Reported

2024-07-26 05:30

Platform

win7-20240708-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2716 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2720 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2720 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2720 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2720 wrote to memory of 2852 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2716 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe
PID 2716 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe
PID 2716 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe
PID 2716 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe

"C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wleikvru.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2492.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2491.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2716-0-0x00000000740C1000-0x00000000740C2000-memory.dmp

memory/2716-1-0x00000000740C0000-0x000000007466B000-memory.dmp

memory/2716-6-0x00000000740C0000-0x000000007466B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wleikvru.cmdline

MD5 1bf064ecc0656f91ad4fbcaec55dc0ad
SHA1 7722fbd198aea327cf0c66945f5e1d17d980b282
SHA256 c4469b0b939311c0a979cc97082c1707b698efa50aa68d7f0777ccc66bc99e59
SHA512 b485a0b826d81302c563aafbffe3a53dd71cccc5f3d62cf7c6b89c1a33093c410fe802bb7678cb4456ff077a57c8c4157efc10e6e32da50ca51c7673d18cda3d

memory/2720-8-0x00000000740C0000-0x000000007466B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wleikvru.0.vb

MD5 d293403390fe2c36172b27c64d5c8650
SHA1 7da8e06d74ca0eb27de9be37a7f6edbd09aa977b
SHA256 01f36b19af186ed3cb30eefb5de7a90e1a42ed5fc80c954da69403245116524c
SHA512 38d67d55a3a7709187f1841f754e5c2e526a22ca0e9d7fe9aae5768c220ea698c3295f660eaca8794dd68ee1dbdf0f56878e30e46f92566ebe58cf9e12cf8095

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbc2491.tmp

MD5 06c9e30575a76e9078b3348a847e5d5c
SHA1 ceb29e8f306b0f49e81b10d6546002077a77c39e
SHA256 37259d75ddf2ee54bb550017eca80db23f92dbccc62f68272e3ff8cacef39b4d
SHA512 0f72893e3248ca82084f50d1caa43f761ae7ef8153f437177f86299ef8df4c74bc38829a86b29628cd369b341cfcf006159dc11d0a4b6d669603a8a39028ffbb

C:\Users\Admin\AppData\Local\Temp\RES2492.tmp

MD5 d11fa8c5ba0127d1273631b185398739
SHA1 ed9df0ba12ca7f80ffbeb9adde9502bf553d8d6d
SHA256 52f9242df07e778fc7767d862060b7802e049275c0018682b8823445acc8662a
SHA512 a20ec45faa79e6317fe86fa66171467d57909a1183e422bf1007c8283119c03dd7608d0f019bfbd33790e113ec2577e6efde9e822ea7805a25db2110726292fa

C:\Users\Admin\AppData\Local\Temp\tmp23C6.tmp.exe

MD5 0ba125c8789e9cabbb7e931d91a056bc
SHA1 9203e443f9ed4b5e136edf36b01cbd3ce424282c
SHA256 18f2b2c9379e3f32c80a8d548782012c298c5f44d8680488e1690349431897c8
SHA512 e9a5ecf7ea3f999500326866438e6f54d5486c1811c309476a131fc6eccc0416bc11a37ee5aeb8c1a8432d62814b25a5730958b9654114625a86e8f6939b2339

memory/2720-18-0x00000000740C0000-0x000000007466B000-memory.dmp

memory/2716-24-0x00000000740C0000-0x000000007466B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 05:27

Reported

2024-07-26 05:30

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1756 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1756 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1964 wrote to memory of 4780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1964 wrote to memory of 4780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1964 wrote to memory of 4780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1756 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
PID 1756 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
PID 1756 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe

"C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\etflx7_s.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB16E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B58DEAC7A2B41089190DBC0AA458C7D.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/1756-0-0x0000000074842000-0x0000000074843000-memory.dmp

memory/1756-1-0x0000000074840000-0x0000000074DF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\etflx7_s.cmdline

MD5 de6785abee22a787c242bb23c60568d6
SHA1 0cfc2c20e1b8227bc074fd63baab7be179e7e2c9
SHA256 3bb0a7f3eaf624fda9feb401c9f763036174f13068e16137145bdd8d362a26f7
SHA512 d55c5feb6b12e317a38c7bbff1b35587e44c03d720307e7d1d12acb5f479aec140508675f82b6a5fffc45bb4c4c72020a538b427cdf1f866e55f4cc2edba7298

C:\Users\Admin\AppData\Local\Temp\etflx7_s.0.vb

MD5 b6e076569014c1504f10f402b4500bf1
SHA1 2d946dde31e3cac560dd3695a8c0d928c547c45b
SHA256 840b439b955f3aade074b149ccb1bc49d6e2bed72599a9cadeafdecb1008043e
SHA512 d5cfefb7372d8df28296b26d88d160c3ddadac05d746bb8fa5840590ed19b4b3233aca0e3941916b2ccbd8c9de16a0526aca118ac51ebcee0c3caf75da60a814

memory/1964-8-0x0000000074840000-0x0000000074DF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 6870a276e0bed6dd5394d178156ebad0
SHA1 9b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA256 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA512 3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

C:\Users\Admin\AppData\Local\Temp\vbc7B58DEAC7A2B41089190DBC0AA458C7D.TMP

MD5 31786bb106ce27678c8cf47292f6e23e
SHA1 8a1a798561a172f4a31c2a05ebb53f971ae0ddca
SHA256 e6e7babc0014aae8eeacf913253a4700ba363a2ea37926169bea56a923c80ac0
SHA512 7a20a8b02d9d51e1442da55877bd67a79201ff4bc4efed796512f45463fc26f67cbfc7dba662609c98f382a359ca6ba6e373f3b64d37b34c4d79f7924c34c726

C:\Users\Admin\AppData\Local\Temp\RESB16E.tmp

MD5 cccd1afad03e6d6c6b6c756ae943ea09
SHA1 740fd4744f1c27b311167f3b23e0b2e5367d9a8f
SHA256 ef06eb833b90ea025446ddff566d0c234689c2a9be10c75e15a4f8e8a0140ccd
SHA512 dd8edcda325e433e71fbb905e0639da39e38375a4046bdb57d38cf614d7bcb8fc8e7ab3ed371ca50f462e3388d8a4d618498bd4fc8736d47ade0398257e2143d

memory/1964-17-0x0000000074840000-0x0000000074DF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe

MD5 3bea4c1dab266d43a2c2b145ccdb570a
SHA1 a1f64d4fe16970ddb52a101e3aa052fd628efcae
SHA256 8e20258dfac87f7906abb66111616d0baf0cd08db4944c84766a9629846a2369
SHA512 e3e61c53126af8669c767b0371a13f25bfba88fd6376da52f9401071977c469c690fcda2ae4f356afd0d9d96ae8efd4b161ecaa255f2074e445d00c3a7699431

memory/1756-21-0x0000000074840000-0x0000000074DF1000-memory.dmp

memory/1316-22-0x0000000074840000-0x0000000074DF1000-memory.dmp

memory/1316-24-0x0000000074840000-0x0000000074DF1000-memory.dmp

memory/1316-23-0x0000000074840000-0x0000000074DF1000-memory.dmp

memory/1316-26-0x0000000074840000-0x0000000074DF1000-memory.dmp

memory/1316-27-0x0000000074840000-0x0000000074DF1000-memory.dmp

memory/1316-28-0x0000000074840000-0x0000000074DF1000-memory.dmp