Malware Analysis Report

2024-11-30 16:01

Sample ID 220615-drlanaadbk
Target 2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf
SHA256 2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf

Threat Level: Known bad

The file 2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Drops startup file

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-15 03:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-15 03:14

Reported

2022-06-15 07:10

Platform

win7-20220414-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dNJoej.url C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1824 set thread context of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1824 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1824 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1824 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1824 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 240 wrote to memory of 1448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 240 wrote to memory of 1448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 240 wrote to memory of 1448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 240 wrote to memory of 1448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1824 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1824 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1824 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1824 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1824 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1824 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1824 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1824 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1824 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1824 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1824 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1824 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe

"C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vvva0ea1\vvva0ea1.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B8E.tmp" "c:\Users\Admin\AppData\Local\Temp\vvva0ea1\CSC9F5718CA42034171B9F4D49D7895F38.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp

Files

memory/1824-54-0x0000000000B70000-0x0000000000BE0000-memory.dmp

memory/240-55-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\vvva0ea1\vvva0ea1.cmdline

MD5 aa158ce0a397868f1ac2743fa3a4684f
SHA1 58494a8a44eebe51d8eaf7e8bbe3a383c7730c56
SHA256 c6e9692ff0324746ff2773311ff85bd8e63eadbd7bf47f591c26f1ebb1e3b4f9
SHA512 bd81b744313e7c1053c2e2e68424227cddd486e2a19ecea80101cdaeaffc3d74b3bb72e9c1f7334ee94125c02fb036958d0ff2bc509b5653f2a31c1892f27131

\??\c:\Users\Admin\AppData\Local\Temp\vvva0ea1\vvva0ea1.0.cs

MD5 69dd8526926b988e8767808fc897b5ad
SHA1 cb336d7210fa47e4fa87f304c6148474aecbf8c1
SHA256 9e8ed9bb70322a0c886abf87320a9a2fb1c460d94b8a97983ddfe55ba79e5e67
SHA512 53bdcffe1e934189842d1c02238e115cfff5e090306a0f65f8c0b3cd593323f68bb990c2710cf8b23db91d47591da09887c0287212a3f29261d992ed80c0ee12

memory/1448-58-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\vvva0ea1\CSC9F5718CA42034171B9F4D49D7895F38.TMP

MD5 2718c1067c3d9d3528faecb9c875f444
SHA1 ec9d3e5dc5c221980a16da4e2481dc55a0a5159a
SHA256 e1455997bf636f2f30149d9636dad9c70a940816366cacea0d138a8bf42624ab
SHA512 e12b8499af77490d5305b74d16d14b968d4dddf9e9738d3e59d2f2efbbef7cc23a6fe1b4bf2e7911a0ebf74d6266623dc62bc872ecdb38c5e73fb23dbb87fabd

C:\Users\Admin\AppData\Local\Temp\RES8B8E.tmp

MD5 55147fb7a02b13b50a7e2142c20c9617
SHA1 75d0e2d02c1760ec634204f3f209f8d343d12c11
SHA256 71582d70c2e49ad51324db2e6b20c17fde2cd0eb55748f1595736c640244f5f5
SHA512 5c48514296e71176b5bfa0df31579d4a2162bc258434dfda73992261f23bc52522349a1a355978ebb847cc70685637ab18be051282204048f075c74fc6ebecac

C:\Users\Admin\AppData\Local\Temp\vvva0ea1\vvva0ea1.dll

MD5 71742fe1bdae7ee1f7fea0c4f72b347d
SHA1 54586f8e61112cc377e58747c6e589e52be2fa26
SHA256 45f9efce9e6473d3d0314ba423e1b3ed1d605aac6625362d7eb60d4b164dcd23
SHA512 c89b3eacd86f25089151bfb2926c92e046478e020b8fdef0665c4d263de2d949bad2ab3fde74811a87b1a1797338011d3c602123568a531b6012c4653bb2d0f6

C:\Users\Admin\AppData\Local\Temp\vvva0ea1\vvva0ea1.pdb

MD5 cd666f98f05f6097d4f229f6b14aa248
SHA1 5ba6f88795a8f7b625343663e847c045c0b1cdd0
SHA256 67c4484b242b3c2862f2bf93d7df99eb6ac5644c7a991333451bde96f53f077b
SHA512 60ab6b8cf04937828ced6c80a7c2dbfdd492cda4aae0217a347ddcce5325bca716390efd5cc780076e3f1acf6ac34637c63d39522d706fa4166cdfd2d1ecad03

memory/1824-63-0x0000000000430000-0x000000000043A000-memory.dmp

memory/1824-64-0x00000000041C0000-0x0000000004220000-memory.dmp

memory/1824-65-0x0000000000460000-0x000000000046C000-memory.dmp

memory/1824-66-0x0000000075E41000-0x0000000075E43000-memory.dmp

memory/1824-67-0x0000000004EA0000-0x0000000004EF6000-memory.dmp

memory/1800-68-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1800-69-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1800-71-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1800-73-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1800-72-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1800-74-0x0000000000451CAE-mapping.dmp

memory/1800-76-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1800-78-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1800-80-0x00000000742F0000-0x000000007489B000-memory.dmp

memory/1800-81-0x00000000742F0000-0x000000007489B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-15 03:14

Reported

2022-06-15 07:10

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dNJoej.url C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4596 set thread context of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4596 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4596 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4596 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4520 wrote to memory of 3412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4520 wrote to memory of 3412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4520 wrote to memory of 3412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4596 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4596 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4596 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4596 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4596 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4596 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4596 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4596 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4596 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4596 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4596 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe

"C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pbfnjv5r\pbfnjv5r.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6556.tmp" "c:\Users\Admin\AppData\Local\Temp\pbfnjv5r\CSCDD4ED26E253E4288A6FCDC2D874C429.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 13.107.21.200:443 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
FR 2.16.119.157:443 tcp
CH 91.192.100.13:1716 tcp
FR 2.16.119.157:443 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp
US 67.24.169.254:80 tcp
CH 91.192.100.13:1716 tcp
CH 91.192.100.13:1716 tcp

Files

memory/4596-130-0x0000000000860000-0x00000000008D0000-memory.dmp

memory/4520-131-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\pbfnjv5r\pbfnjv5r.cmdline

MD5 cca11bad5e20d0f747e16a7acbbf9a1d
SHA1 344a4d56af2078bcf1c8b5dfe7142ce9eda37f33
SHA256 b516688ed08911187be55a0658bd79a5976e4fb71b96683d827655196c8134f9
SHA512 9ec56170be571df70fbd9b9a109555b87de8c112d2151b07c419a32dfa65f28d391b087fca3417b60c0cb0da056bd202a8d485e86c8eabc442c38142f239f9cd

\??\c:\Users\Admin\AppData\Local\Temp\pbfnjv5r\pbfnjv5r.0.cs

MD5 69dd8526926b988e8767808fc897b5ad
SHA1 cb336d7210fa47e4fa87f304c6148474aecbf8c1
SHA256 9e8ed9bb70322a0c886abf87320a9a2fb1c460d94b8a97983ddfe55ba79e5e67
SHA512 53bdcffe1e934189842d1c02238e115cfff5e090306a0f65f8c0b3cd593323f68bb990c2710cf8b23db91d47591da09887c0287212a3f29261d992ed80c0ee12

memory/3412-134-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\pbfnjv5r\CSCDD4ED26E253E4288A6FCDC2D874C429.TMP

MD5 22905d3b248cce6603ce0e27330ec7bb
SHA1 345f43b9164e1f104c0c1e06ccd65c9242c46872
SHA256 8942d9317f4c45401215e1c848c8832b5ca02b5e35b34f67eb53e9e34761c04f
SHA512 0e09936185fa45f14ed9f4f70a56b8854c62dbf68f9ff10476af846a5cffc90abcc84e7c4e3b7e9bef91455bfb19cbc255f57b16741db9ef6a2b077293decdda

C:\Users\Admin\AppData\Local\Temp\RES6556.tmp

MD5 6de5ff8cfe90ef8e9b3fe404450e6157
SHA1 2be191d869cb778c69ecdf97193ef186912d4571
SHA256 ec45a392a42de4edd87c664368eb50ff916249c9495565d6df2e8b504aaa7f10
SHA512 ee00452a5823308b634a2b02144f47ee96bd1dd7a75829ee1617db0ba5aec9db6efadc9afb53ff6f4dc583cd376c427d39f5dd4f7a1a8b1eaab499e7b8b62d2b

C:\Users\Admin\AppData\Local\Temp\pbfnjv5r\pbfnjv5r.dll

MD5 4b87584cc52bb8d9ee7323aefcef5568
SHA1 5ae7112e89093b96e4e69682411d4ce0e079c399
SHA256 d2caf200696a99f5870248c4d331d4106d86e7a87def9d71cd7dfaa02c859252
SHA512 ea4d5c043922adea28d4cc9178fabec2f438245555db02858475dd726ea0d9de3a8c617750899a2f76cbf721b5f6e36770bda9f8309396f37f0a8c00da4f46bd

C:\Users\Admin\AppData\Local\Temp\pbfnjv5r\pbfnjv5r.pdb

MD5 69f8be3a4fb01a7db00a5a03eb8d0326
SHA1 e9383224ddd3e920935e81a7dfc55adb893b698a
SHA256 1c853c29f74827098b61e498b8acbfebe61dec52d95b80429d1401b5256aa6cc
SHA512 2cd04c785f482ede1ccb585a49b1aeaed794b729220b9210d1167bb5ef65b6121f277027cc15bfefe1befd91088cb8a775cedde5b7be449a59c9e83220c096e0

memory/4596-139-0x0000000005240000-0x00000000052D2000-memory.dmp

memory/4596-140-0x0000000005920000-0x00000000059BC000-memory.dmp

memory/2252-141-0x0000000000000000-mapping.dmp

memory/4092-142-0x0000000000000000-mapping.dmp

memory/4092-143-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4092-144-0x0000000074AE0000-0x0000000075091000-memory.dmp

memory/4092-145-0x0000000074AE0000-0x0000000075091000-memory.dmp