Malware Analysis Report

2024-11-16 13:11

Sample ID 241109-d8zjlswlet
Target ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9
SHA256 ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9

Threat Level: Known bad

The file ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:41

Reported

2024-11-09 03:43

Platform

win7-20240903-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1984 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1984 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1984 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2500 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2500 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2500 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2500 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1984 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe
PID 1984 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe
PID 1984 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe
PID 1984 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe

"C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wopxvhqs.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89B9.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/1984-0-0x0000000074F11000-0x0000000074F12000-memory.dmp

memory/1984-1-0x0000000074F10000-0x00000000754BB000-memory.dmp

memory/1984-2-0x0000000074F10000-0x00000000754BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wopxvhqs.cmdline

MD5 c5d8cdd19c63f18e7ebaaab5d2fe5791
SHA1 d86e82ce35edd0a4b509a7600732aeca809b8e08
SHA256 1500ec00c183531e48012d0d8bf094148f6452572672170d7e18113649e49042
SHA512 1ee932cc23ec24a46b8b59dd27cf2d1c968502a9894124972c248248bec904461040edd9e02f81cc78584da91ca9ca1b8e9505c3fd52f041d9d5275062b0cdcd

memory/2500-8-0x0000000074F10000-0x00000000754BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wopxvhqs.0.vb

MD5 e850b338c4ee69c6d6c06236909b010a
SHA1 8e8a114fe1d2fe4a32466d7678016e3773356480
SHA256 be6a4a999d41134e133ab77c835e93309dd5b4fcd4945965aea20b99a891ac00
SHA512 d0847911ab22cb13ae79de76a2b4baf7aa9808598c0a305819232ce3eb22c69c8d0801c8a6ce760b9ee3891d4f0e2d4362a8f42f9f9b1297c2b23125c5d83b42

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc89B9.tmp

MD5 e196b6a1aeea3c27b98c475dc0a36340
SHA1 ad9407dfe089d429d99d006695f46601698c628d
SHA256 63de2f79e354f6a095c7c751a84ca07c2b3cec7cd0bfc82a02e1860b988702ff
SHA512 134e20239be84d98c34f9a3e33130db4b7de7cab87758a9ca7a4097573434c855adca65cb98f162c33703aef20095606cd5baf324fef22a1837e57c5dc68ab25

C:\Users\Admin\AppData\Local\Temp\RES89BA.tmp

MD5 2472b85bc8bd577193c8ee0d54c5cb38
SHA1 d238202671ae13625a9b62ae1b9b5944b8234336
SHA256 641c2d3a7622599b2c49639f19b48646e220f010790bb24fa36b55e07e20b618
SHA512 a5f374e954df49f84360cfc2a3fc81697990d5bad42393133c44b032423c77c0cdbbeb35e2fd72d5d44fca5cbd46c52afccb5a1d0eb741db6948a7f9c354d389

memory/2500-18-0x0000000074F10000-0x00000000754BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8852.tmp.exe

MD5 a1a7d913f394657e10d637831866222d
SHA1 cd9b6f3b16c4fdeee328bf2ef71391cc11619dc1
SHA256 0fd62c808b69261aba87d72a9fa133768524e60f810488ee4876ea0f4229f1df
SHA512 40b3462fc7ea9f280d7196374dcbbf3e3d3764e0e9a4b6199ead8db08a3f494d1bd12955f050bfd82ebae46c854026447695dcf3118f54a3ddc1d2815a4b52cc

memory/1984-24-0x0000000074F10000-0x00000000754BB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 03:41

Reported

2024-11-09 03:43

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp63BB.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp63BB.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp63BB.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp63BB.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2144 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2144 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1488 wrote to memory of 1904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1488 wrote to memory of 1904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1488 wrote to memory of 1904 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2144 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe C:\Users\Admin\AppData\Local\Temp\tmp63BB.tmp.exe
PID 2144 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe C:\Users\Admin\AppData\Local\Temp\tmp63BB.tmp.exe
PID 2144 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe C:\Users\Admin\AppData\Local\Temp\tmp63BB.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe

"C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cahpbrwf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6486.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc52324A9B7E964BD8B1374B1DE36163B3.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp63BB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp63BB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ca2a2808f14bf50121a00a170bae9b116bf5045fd6cacbabd14bf19ad76300f9.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2144-0-0x0000000074672000-0x0000000074673000-memory.dmp

memory/2144-1-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/2144-2-0x0000000074670000-0x0000000074C21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cahpbrwf.cmdline

MD5 bf32c4b77780aaf2a5650fa5c1ce4de6
SHA1 db702d5eebbc9d602f3ad74ebf62173185c97ca1
SHA256 63ab7960a4b21166da8fcd00c34da439ce2fd9e127caaff364f9e6980b466b8c
SHA512 d0630c7bce3c77f2f9411b1afba9bbe092c1d0199290d827f7ba3c025f87882f404cc3c2ca81de7f4b44b705432d1351438e2f9e244d1d11dc0ff5379e62df29

C:\Users\Admin\AppData\Local\Temp\cahpbrwf.0.vb

MD5 40c581e2ea795363a804147f3c4e9798
SHA1 030cba8b13bc53ab1b07efddab20afec29df12fc
SHA256 973c60bdd256cc7dc3014e86b80fe4776780e8b1d03b887f01b9328465aac2ea
SHA512 68c27d93183a8b7eaa3f9086a80edbfc06dbf4e13df07685394cd1195c1a65ac6d263e6caa285799625024ec74b68d5c0159ce5dcfcfc8b02cefe092c4ceb529

memory/1488-9-0x0000000074670000-0x0000000074C21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc52324A9B7E964BD8B1374B1DE36163B3.TMP

MD5 bd5f4f396f17df9b794f8a499102bb06
SHA1 d187ff42b7fd4ab7c596028d8b74b664c9ddb058
SHA256 7cd492b27f0a18e4227cd0554fbbb6a7756c8fe6bd2ad8d11090fa897f12dda9
SHA512 88502b04a622c8ff18caa8372a16ce010f0a6f603b4553e6a4d80c2964518af33b337564ff3e12e65d5fdaa0c893ec6238e0580abdf813a21f73a6472cbb3c76

C:\Users\Admin\AppData\Local\Temp\RES6486.tmp

MD5 19df235e03568ae14314034e6ce35c48
SHA1 dd5a85c4dcc80b62b158c3f5599bdfa4b4f369d0
SHA256 c4bf1610b6d53ec7453884e7bff7fbf433b91ba91348a12db530effa164a5525
SHA512 0130b13ca57460cbcc5375cd9a09ce236dadfcfead1a8607e311a5338753c87bb7ebe0200df8fd80dcd61af07ab76e0e6a878c23305d0dea98dd74e319bb9226

memory/1488-18-0x0000000074670000-0x0000000074C21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp63BB.tmp.exe

MD5 81f7e5d3d03fc830b13484bf9efe3d52
SHA1 57d742427f82019971f9ce5059b5469b1771b44e
SHA256 03fa9d66baf99c9364c134efdba29ecac5162153e754768e831f933789ab0c5e
SHA512 c1bd03060e737ad72e7634d83b66417d441cc49bcf8ddd9636bb779dd85e0f25c45062106b12624c972ab5796fd23eb477f0948894fce45681b90cc8ca66f3e1

memory/2144-22-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/2592-24-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/2592-25-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/2592-23-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/2592-27-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/2592-28-0x0000000074670000-0x0000000074C21000-memory.dmp

memory/2592-29-0x0000000074670000-0x0000000074C21000-memory.dmp