Malware Analysis Report

2024-11-16 13:11

Sample ID 241109-c4289syjeq
Target b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570
SHA256 b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570

Threat Level: Known bad

The file b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Uses the VBS compiler for execution

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 02:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 02:38

Reported

2024-11-09 02:41

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1356 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1356 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3484 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3484 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3484 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1356 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe
PID 1356 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe
PID 1356 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe

"C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c3njrxmt.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E526CA59D940FF8FCA129C2BB9D5A5.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 tcp

Files

memory/1356-0-0x00000000749D2000-0x00000000749D3000-memory.dmp

memory/1356-1-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/1356-2-0x00000000749D0000-0x0000000074F81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c3njrxmt.cmdline

MD5 b224861c9f4cb83614ca312470943b7f
SHA1 acf2deac748a8ff56fcff784819e1954db5af920
SHA256 8de1fdd78601efe535872000dccbdda28ca58f5a24a26c68c8a8097320a94b38
SHA512 0943aa3432a7c563907196f9b19d56dcb34100d6231b59d058534bb7ffd1e4d737faa686ff08d3267a69558338a556d08488af31b6702f1b7557a635445cb742

C:\Users\Admin\AppData\Local\Temp\c3njrxmt.0.vb

MD5 6a76defbb4fc5df5c5e46d899f0fccfa
SHA1 31a6d35661beec3085b717709065a8d2b584bdb3
SHA256 94900dc6f9878bab9c41f1a5baf994454e1c06d16355aad1f8d83af7fe06ed1f
SHA512 a54becbf1bc564d8667a0884717e911b6fc66cba07db43d4f9b79844699623d27466b2dcd2502ee3902e3c6195105719d96a456709f0e25c084586cce4289912

memory/3484-9-0x00000000749D0000-0x0000000074F81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc2E526CA59D940FF8FCA129C2BB9D5A5.TMP

MD5 c0dc8a76a6b8151727fd299fb8fcaf60
SHA1 eb4828088205baaf92cfc000534f045b0c7b5cfe
SHA256 a01e63f95fcd953b8de23d44899af867ac98f7cb8dca8f069823512d70d19036
SHA512 7c6532389098fb3686ad1444a2119fe9338c364d587077ede0d8a5cda5216f4c4d3e47d620609b22e847206313356db4258c7ef1a9d7622939ed85f7b1d91946

C:\Users\Admin\AppData\Local\Temp\RES9CEC.tmp

MD5 8e2c7f76cbc182df78059f1898ef1665
SHA1 33d82d4bbd6af7d21b14330dd556ca03672bc578
SHA256 bb47f0a7902e05b8037c438ff8dee464b5c1a36fa77ef59eade2b09574e29e30
SHA512 00c8a4bf1b43bb2fa7cb442a42310416a90941c20deebc1f98719ceb9c9ecc455891d24e5aedf87c498442c019bce8e1287673ab258404ca39985a58a241f449

memory/3484-18-0x00000000749D0000-0x0000000074F81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe

MD5 e5d82fabd54cbc5bde7b290c23c9c3f1
SHA1 cbea914b90472a1fabca37633cc1ace928caf08d
SHA256 fda04eaa80a2c637459804588eef207db5c54fcabf0155fc41b0a204fda996b1
SHA512 73bf9d51990912a2c39cb5355f9c2ba7c589e39912149ee7fc299261a8b7c1908ca6c84f1a3efdb3561b0940fca9990b3ca5ecd42a39033f02e42d6c3104c44e

memory/2360-22-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/1356-23-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/2360-25-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/2360-24-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/2360-26-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/2360-27-0x00000000749D0000-0x0000000074F81000-memory.dmp

memory/2360-28-0x00000000749D0000-0x0000000074F81000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 02:38

Reported

2024-11-09 02:41

Platform

win7-20240903-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1292 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1292 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1292 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1292 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2548 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2548 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2548 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2548 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1292 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe
PID 1292 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe
PID 1292 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe
PID 1292 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe

"C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h-bp_grx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB27E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB27D.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/1292-0-0x0000000074201000-0x0000000074202000-memory.dmp

memory/1292-1-0x0000000074200000-0x00000000747AB000-memory.dmp

memory/1292-3-0x0000000074200000-0x00000000747AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h-bp_grx.cmdline

MD5 06d3c988e27ea3597ef67295a7b932ab
SHA1 e4a409d2f23cec55cefbcb6c827f4ed0c12fba31
SHA256 a3d44a7821471955dc76f311233065e4a386a2f6d5d96460206a9c8bdf1449d6
SHA512 27107a4c45f8029fde96d3d17bb53b356b6799bc64ace03f4095729e597081f0eee9e0a228e9def8b3cfd49db1ce919f45989a59454e92099af571a46cf06e76

memory/2548-8-0x0000000074200000-0x00000000747AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\h-bp_grx.0.vb

MD5 d39809f5b6c7dfca17cbe6b793f682e4
SHA1 ca75b3ca02800605d295fb086d24f51652a13bf3
SHA256 a1b800ac1307d169974a3e933334315455d97e17d57c43a23f5d75d48362fc31
SHA512 c56c41724beea1ad14df3d8abbe0dacd46ed695acbd1a6cb43e6beb173a6fcf8d411a4420f385fe1ca3b0bb534b4828f77002738cd2479377f144550d9fc828a

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcB27D.tmp

MD5 5e80f47a3ec03e1a06232bfbb1966184
SHA1 ddbadf7d102fc8c0db4b46b21249a6d4b0fe2e21
SHA256 2f5e1046ce4d9f472b57e6ac1c9a8e53f50ec7e6c9d4f968198a2bbb00a37836
SHA512 9a6a5835ac84d48458d573f94cb3f63b9fbf8848c8cd3615a942e0ad38cd12568b0ae23a1e5ed2660858a4ee27daf858fbe646cf600c32165d66d0295b8317b1

C:\Users\Admin\AppData\Local\Temp\RESB27E.tmp

MD5 3405930fd5ffb4f888d239877e89ce26
SHA1 0f547eb703f43f4f866f25e622e6adf0a9a1440f
SHA256 163331a96f6ddf1ea0d35e304a200ebe8c91c9406d6d1e3afdaf6081a37a64b8
SHA512 e4ab3eb79e26a0252f3085b86a6e0f95c8fb4c43bc05772eeeaf51e2cc295ba6f732d53a7c4b03772999a544e486f3d4da023cb8bc8ca2a9e8f9a2a8c5a80bdc

memory/2548-18-0x0000000074200000-0x00000000747AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe

MD5 939d261f432e07e1ba1d3d2abca61cf0
SHA1 cc6db01681c76c3edb3439a682f984548be042bf
SHA256 a221a635c6ce41813adde90bd62190dfd8220a87df0913bc13cc3ce1cb71867a
SHA512 ddb0a5c09e9ce920671b04bab3833b7c4cad87948c3b98f48c45ead5b74cddc5f56050ec0b3955c5de3b326e54ee7144494261e24bd8939b8e3429bf4de512c2

memory/1292-24-0x0000000074200000-0x00000000747AB000-memory.dmp