Malware Analysis Report

2024-11-30 16:02

Sample ID 220621-bvxfzsabh3
Target 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2
SHA256 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2

Threat Level: Known bad

The file 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2 was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Drops startup file

Loads dropped DLL

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-21 01:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-21 01:28

Reported

2022-06-21 01:32

Platform

win7-20220414-en

Max time kernel

178s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YOdFDv.url C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1304 set thread context of 1084 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1304 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1304 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1304 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 956 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 956 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 956 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 956 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1304 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1304 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1304 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1304 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1304 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1304 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1304 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1304 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1304 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1304 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1304 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1304 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe

"C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE966.tmp" "c:\Users\Admin\AppData\Local\Temp\kva1bd13\CSCEBA40E1F713E4A9D89EF6587A57E490.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zynovahk.duckdns.org udp

Files

memory/1304-54-0x0000000001050000-0x00000000010F4000-memory.dmp

memory/956-55-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.cmdline

MD5 98ab2ff479af65b55aaa8b0ddbad8f6c
SHA1 7ba29c7e46f2c6dd72aa6114d6e904889f3367f2
SHA256 2b1dd606b230cf3a2b145337b254ed5702af4837c8eb94cf6172f5bdaf12227f
SHA512 407e57532739052cc068f4498493d81f674090ff4aaeae7971bb23e0a86bf8c2dd61dfa14f8204df0ef0c8753086b8dcd9b727f3449583b23d18cdd9d930be11

\??\c:\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.0.cs

MD5 a0ab466f52a7447731f3f571e33dc5ce
SHA1 46e43682762604835718e4e46b0c8abd4f392900
SHA256 3584ca8e05e6280835c93957caf7c752b9f7b3e8ec7317eeaa82f2bc7853b470
SHA512 e9a467aadfe45a56a0665a91ff27fc81b6dae2999cc02eb29381e62fd613022bc02de3baf4b5469046913897b3f8f56d2084053fadf46f353c5f1370326a7a99

memory/1644-58-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\kva1bd13\CSCEBA40E1F713E4A9D89EF6587A57E490.TMP

MD5 8e9b75a79ff36c421d8cc8ceff3472cc
SHA1 c6157bfc576f91a7127fd2b931e387f673880b13
SHA256 9a089f65b9e4c8e584a43d0ecdf46252af95bbd32e454d1f8b6c684f14e7e947
SHA512 0b57b05eda9e04083a948e74ad8bc4adfb2cad1df25fa5cb4c5ed28b21835a1490a47bedf9b851d2d969925c6d766ace8b35100ba021b5c9f510b37f58da4586

C:\Users\Admin\AppData\Local\Temp\RESE966.tmp

MD5 c4fd28ef44119065453a187f613f9276
SHA1 9224bc5f3e0d811bcca3d2cfdb7e0adb8272aeb4
SHA256 ce543aff17ee9bbb5e3af12c3fda818039e47185e19ec2aa0a8bd5c2bd837b01
SHA512 2e2404ac31bfc5ffb8a14846167f0aa08e45b5d45ad8c6fcdcf352849afdedb053eee651912759a0c1125c9586aef4c743458869bbb607a7f0781c64f473a8c1

C:\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.pdb

MD5 cc2723a3d2fe86e467ef563d8d97fb69
SHA1 13f5aeb4fda28abbce1ff26a1910f75abba4ad64
SHA256 48ecafce1be22e16d8d5e9062aab28744bca75fb44a5b7da84e4c004c30b74d7
SHA512 403f7b9957e532ae3c24578e35f42fbd5d9db4fde39453a884290c62f54bf29fe12d370e0247d91b1a37a14a6b5958b5f65955187ae68950963b830cab40ce65

C:\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.exe

MD5 568dfc9b6581abb3d27816660b48f5b3
SHA1 d8cf8cd34274f4af8429cd24a6ed03a3679d2145
SHA256 70f5b327a8aada53b151d57e9e07197681ee0dca0b82d8e1d48e6428b8b1c7ec
SHA512 2749cca5f502050d716b8d9968ff59bb3de2204d94ea4f295556afe7e4ae6da50a8ea3fa255a6559016657cde3a0cc8ba4aa670306843920a04517b746d8bfc3

\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.exe

MD5 568dfc9b6581abb3d27816660b48f5b3
SHA1 d8cf8cd34274f4af8429cd24a6ed03a3679d2145
SHA256 70f5b327a8aada53b151d57e9e07197681ee0dca0b82d8e1d48e6428b8b1c7ec
SHA512 2749cca5f502050d716b8d9968ff59bb3de2204d94ea4f295556afe7e4ae6da50a8ea3fa255a6559016657cde3a0cc8ba4aa670306843920a04517b746d8bfc3

\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.exe

MD5 568dfc9b6581abb3d27816660b48f5b3
SHA1 d8cf8cd34274f4af8429cd24a6ed03a3679d2145
SHA256 70f5b327a8aada53b151d57e9e07197681ee0dca0b82d8e1d48e6428b8b1c7ec
SHA512 2749cca5f502050d716b8d9968ff59bb3de2204d94ea4f295556afe7e4ae6da50a8ea3fa255a6559016657cde3a0cc8ba4aa670306843920a04517b746d8bfc3

memory/1304-65-0x00000000003F0000-0x00000000003FC000-memory.dmp

\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.exe

MD5 568dfc9b6581abb3d27816660b48f5b3
SHA1 d8cf8cd34274f4af8429cd24a6ed03a3679d2145
SHA256 70f5b327a8aada53b151d57e9e07197681ee0dca0b82d8e1d48e6428b8b1c7ec
SHA512 2749cca5f502050d716b8d9968ff59bb3de2204d94ea4f295556afe7e4ae6da50a8ea3fa255a6559016657cde3a0cc8ba4aa670306843920a04517b746d8bfc3

\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.exe

MD5 568dfc9b6581abb3d27816660b48f5b3
SHA1 d8cf8cd34274f4af8429cd24a6ed03a3679d2145
SHA256 70f5b327a8aada53b151d57e9e07197681ee0dca0b82d8e1d48e6428b8b1c7ec
SHA512 2749cca5f502050d716b8d9968ff59bb3de2204d94ea4f295556afe7e4ae6da50a8ea3fa255a6559016657cde3a0cc8ba4aa670306843920a04517b746d8bfc3

memory/1304-68-0x00000000003F0000-0x00000000003FC000-memory.dmp

memory/1304-69-0x0000000076531000-0x0000000076533000-memory.dmp

memory/1304-70-0x0000000000E10000-0x0000000000E70000-memory.dmp

memory/1304-71-0x00000000006E0000-0x00000000006EC000-memory.dmp

memory/1304-72-0x0000000004D20000-0x0000000004D76000-memory.dmp

memory/1084-73-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1084-74-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1084-76-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1084-77-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1084-78-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1084-79-0x0000000000451E5E-mapping.dmp

memory/1084-81-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1084-83-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1084-85-0x00000000746F0000-0x0000000074C9B000-memory.dmp

memory/1084-86-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-21 01:28

Reported

2022-06-21 01:32

Platform

win10v2004-20220414-en

Max time kernel

178s

Max time network

192s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YOdFDv.url C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4348 set thread context of 1340 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4348 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4348 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4348 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4136 wrote to memory of 4552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4136 wrote to memory of 4552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4136 wrote to memory of 4552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4348 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4348 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4348 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4348 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4348 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4348 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4348 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4348 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe

"C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uonnpqze\uonnpqze.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56DA.tmp" "c:\Users\Admin\AppData\Local\Temp\uonnpqze\CSCD3872A4BBA674BF092409468D633F8F1.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 52.109.8.20:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 20.42.73.26:443 tcp
GB 92.123.143.240:80 tcp
GB 92.123.143.240:80 tcp
GB 92.123.143.240:80 tcp
US 13.107.21.200:443 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp

Files

memory/4348-130-0x00000000007E0000-0x0000000000884000-memory.dmp

memory/4136-131-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\uonnpqze\uonnpqze.cmdline

MD5 653fd214cb57cd59597faa52b9dc1299
SHA1 5e6ffce4b18a4d07514a89a1566f5c55e3dc977f
SHA256 1b884b8212bbdc6bdf2194bd58a11f3fa2e88d98c3c879094f5817c82adfbfa5
SHA512 b884a5b8ca1a2a0a98f84c77a5b7b4175b87aec7c38180dac84c5969e528233a588f7a6a1fd160a67def844919d13b3014baffbc7c63c5347fbd9d3be4aabf2b

\??\c:\Users\Admin\AppData\Local\Temp\uonnpqze\uonnpqze.0.cs

MD5 a0ab466f52a7447731f3f571e33dc5ce
SHA1 46e43682762604835718e4e46b0c8abd4f392900
SHA256 3584ca8e05e6280835c93957caf7c752b9f7b3e8ec7317eeaa82f2bc7853b470
SHA512 e9a467aadfe45a56a0665a91ff27fc81b6dae2999cc02eb29381e62fd613022bc02de3baf4b5469046913897b3f8f56d2084053fadf46f353c5f1370326a7a99

memory/4552-134-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\uonnpqze\CSCD3872A4BBA674BF092409468D633F8F1.TMP

MD5 be07a450ccca1855fe04df620128ca0a
SHA1 92b367fde3dada3f77fff4f26a8186a82db88add
SHA256 c10389b770a39925ff678d1f2b0dc15b2144d951fe6f403d7fb50cda382b3027
SHA512 ae43b203382ee7e032491381841a0a51921bc5e1dd0a880e99a4e5e8f84cf2e5f95c3869013583f44d10409520b24cbc029ee8f38083ff25550bbba08bfff018

C:\Users\Admin\AppData\Local\Temp\RES56DA.tmp

MD5 23dc81ea47275bbdc44af970201cdf7c
SHA1 339f32b94eb7dffa7e878644ad09c216c18ffd1f
SHA256 b1ef6a86bc30b258118a7a95d9ded19caf7a937a95b7136f88d58bec503b062d
SHA512 69b25ee77ad9d6511cc1912cf50ffac2ee09a6412741a06af7f646315972ae18b09d7f125058fd2051c0f9fcb80dbb5879f6c52dda201387bc25f745ece73233

C:\Users\Admin\AppData\Local\Temp\uonnpqze\uonnpqze.pdb

MD5 5baa0001ef4028618db9827cf2dbae72
SHA1 b5101e6ae2d94d5953e0e84f7b5838ace347138c
SHA256 d244706db6f090649bcfed42b1eda3c00b4d3d6ad47f80cf8e463faabff0e21f
SHA512 cdbe708a5d49ab08aab624f5c35ac4783b562078f94b4dd770c8a34d61941140a7f16210b4b2e9d2d13617c382392bdbe836b9a2d9529bed71593295504f047b

C:\Users\Admin\AppData\Local\Temp\uonnpqze\uonnpqze.exe

MD5 f8a0885eb40edd9318ae6b44391a1867
SHA1 7df0731863c862807d75051654e88acac784bbbb
SHA256 d7db5f87fe72626d03888c9744b6c2ebc5a2491bf667a15e6d78571fc5db30c9
SHA512 a4fccdba36c9d993be6620e632270d2cb782b75a4a03bb6fc74ce3ef7c17c3687b9ec521c86296ae712c46787680c68c3a3cc64c0020c5a08333bf2bc45e79d6

memory/4348-141-0x0000000002B70000-0x0000000002B7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uonnpqze\uonnpqze.exe

MD5 f8a0885eb40edd9318ae6b44391a1867
SHA1 7df0731863c862807d75051654e88acac784bbbb
SHA256 d7db5f87fe72626d03888c9744b6c2ebc5a2491bf667a15e6d78571fc5db30c9
SHA512 a4fccdba36c9d993be6620e632270d2cb782b75a4a03bb6fc74ce3ef7c17c3687b9ec521c86296ae712c46787680c68c3a3cc64c0020c5a08333bf2bc45e79d6

C:\Users\Admin\AppData\Local\Temp\uonnpqze\uonnpqze.exe

MD5 f8a0885eb40edd9318ae6b44391a1867
SHA1 7df0731863c862807d75051654e88acac784bbbb
SHA256 d7db5f87fe72626d03888c9744b6c2ebc5a2491bf667a15e6d78571fc5db30c9
SHA512 a4fccdba36c9d993be6620e632270d2cb782b75a4a03bb6fc74ce3ef7c17c3687b9ec521c86296ae712c46787680c68c3a3cc64c0020c5a08333bf2bc45e79d6

C:\Users\Admin\AppData\Local\Temp\uonnpqze\uonnpqze.exe

MD5 f8a0885eb40edd9318ae6b44391a1867
SHA1 7df0731863c862807d75051654e88acac784bbbb
SHA256 d7db5f87fe72626d03888c9744b6c2ebc5a2491bf667a15e6d78571fc5db30c9
SHA512 a4fccdba36c9d993be6620e632270d2cb782b75a4a03bb6fc74ce3ef7c17c3687b9ec521c86296ae712c46787680c68c3a3cc64c0020c5a08333bf2bc45e79d6

C:\Users\Admin\AppData\Local\Temp\uonnpqze\uonnpqze.exe

MD5 f8a0885eb40edd9318ae6b44391a1867
SHA1 7df0731863c862807d75051654e88acac784bbbb
SHA256 d7db5f87fe72626d03888c9744b6c2ebc5a2491bf667a15e6d78571fc5db30c9
SHA512 a4fccdba36c9d993be6620e632270d2cb782b75a4a03bb6fc74ce3ef7c17c3687b9ec521c86296ae712c46787680c68c3a3cc64c0020c5a08333bf2bc45e79d6

memory/4348-144-0x0000000005270000-0x0000000005302000-memory.dmp

memory/4348-145-0x00000000058F0000-0x000000000598C000-memory.dmp

memory/1340-146-0x0000000000000000-mapping.dmp

memory/1340-147-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1340-148-0x0000000074F00000-0x00000000754B1000-memory.dmp

memory/1340-149-0x0000000074F00000-0x00000000754B1000-memory.dmp