Malware Analysis Report

2024-11-30 15:59

Sample ID 220622-qz6msafhfr
Target 2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d
SHA256 2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d

Threat Level: Known bad

The file 2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Drops startup file

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-22 13:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-22 13:42

Reported

2022-06-22 14:59

Platform

win7-20220414-en

Max time kernel

172s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xKbNsQ.url C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1928 set thread context of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1928 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1928 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1928 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 936 wrote to memory of 1720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 936 wrote to memory of 1720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 936 wrote to memory of 1720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 936 wrote to memory of 1720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1928 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe

"C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cya2eudo\cya2eudo.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0B1.tmp" "c:\Users\Admin\AppData\Local\Temp\cya2eudo\CSC404ED137746641D9915847C364134152.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp

Files

memory/1928-54-0x0000000000A90000-0x0000000000B1A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\cya2eudo\cya2eudo.cmdline

MD5 4fda3185044ecda2bd9c252c041020fa
SHA1 f145dd37007d49f121cf1362fe629cff14e05cc0
SHA256 dd114f06dfb2289e743b4343a09fa8b88dd881e0ad59d96e12cf97f55d464f38
SHA512 6fc414f1adfa16811cca6522658907f583af45847846b9b2afa8bcc1e14ff7a2cf008e2f881d7e289f43076b3c2ddc7eed38fe7f9464dd3571660e14eee428f1

memory/936-55-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\cya2eudo\cya2eudo.0.cs

MD5 f76e24b577ae3ca4ef100472dee389a2
SHA1 5c340ef70538d5c6806e2922a03dc5ee8498f0a6
SHA256 5631be274722ef2bd02138122f9037e4f1d47f91f2e09bcba3f4587e4d46e378
SHA512 e73185008beb0dcce849615cf127575a05aece9cd904adfbb08baca5eb6f4c2037e5b24aa1cef8e0e82b4e0313f3de960515a6dc9c019cdc5fd809508efea7f6

memory/1720-58-0x0000000000000000-mapping.dmp

memory/1928-63-0x0000000000220000-0x0000000000228000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cya2eudo\cya2eudo.dll

MD5 4f0e59c96f9d2e425856b97f5d2a50a6
SHA1 b94bae30b46d8ce96d99bede98da5bcd19f5271a
SHA256 91d99cf33a6a2777b82f4d30e8f4f7a45431c6a5ab0707e9d8b91fa94de0d23e
SHA512 3f59507a568bc72af5b7211385996017493b2250d550dfec45f2a027a783fd1546f5352f33d1d5ae1e4ae31c1685f41e6c38a063cb98e3d34f67982a89b61065

C:\Users\Admin\AppData\Local\Temp\cya2eudo\cya2eudo.pdb

MD5 34d04d0b62114b754cc220468c34f567
SHA1 7b255222c002d931889789892d6f3c16c4350be9
SHA256 829e2fdcccd5314bf631bfac52dfc6d68591da57f545e2918d16c4545d455efd
SHA512 3e7cb9b6a50a86c0d427ebf22fc5f7f11becb1870a0fab0b1c54d6b0d10f2a15ebf80da877b1a84c71009d819a580f36b7e2eeb33400999f6d37c9772292bcca

C:\Users\Admin\AppData\Local\Temp\RESC0B1.tmp

MD5 e46a5c02d80e01aeb577f1dd8691fd9f
SHA1 6919a11f0eb06d99654004998eb1035d31cc5395
SHA256 0947bbdb2c144d74ccef8a8f31b05c6af3b3dd6ac69e2480a9afec5ff65d2857
SHA512 ce30044e3a2a9921dce3739e68b6b8cce13ad767dcac7cf60d967a673030278fceeac9a58cd343eb32835b4dc23c1ec524d920cb42c69886eac15f3070e0569a

memory/1928-64-0x0000000004740000-0x00000000047A0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\cya2eudo\CSC404ED137746641D9915847C364134152.TMP

MD5 ad095ddb24bbfa1c730f343bf6e38580
SHA1 52ff1f420103eaf6b8b3ed944d59f64c67d82e5b
SHA256 53ab93098c10428c6fac89949a86e683d97fe576c2fb04febb8f7c0f56870f9e
SHA512 29adb0f7c2538e4bc54827f9f430ce5719cec4c07076bce316e035e84db4144d1b1989fca3471e13441e7c1e859ad4811d062191b0be03c0ef9de91ce9cd88b7

memory/1928-65-0x00000000003E0000-0x00000000003EC000-memory.dmp

memory/1928-66-0x0000000075941000-0x0000000075943000-memory.dmp

memory/1928-67-0x0000000004BA0000-0x0000000004BF6000-memory.dmp

memory/2012-76-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2012-78-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2012-74-0x0000000000451E5E-mapping.dmp

memory/2012-73-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2012-72-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2012-71-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2012-69-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2012-68-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2012-80-0x0000000074440000-0x00000000749EB000-memory.dmp

memory/2012-81-0x0000000074440000-0x00000000749EB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-22 13:42

Reported

2022-06-22 14:59

Platform

win10v2004-20220414-en

Max time kernel

172s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xKbNsQ.url C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 448 set thread context of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 448 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 448 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 448 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4560 wrote to memory of 4228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4560 wrote to memory of 4228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4560 wrote to memory of 4228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 448 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 448 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 448 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 448 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 448 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 448 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 448 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 448 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe

"C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rgujhwtu\rgujhwtu.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5BC.tmp" "c:\Users\Admin\AppData\Local\Temp\rgujhwtu\CSC1FF1BC66F9D44AD7955C692FBC9D867.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 20.189.173.2:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 13.107.21.200:443 tcp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp

Files

memory/448-130-0x0000000000F00000-0x0000000000F8A000-memory.dmp

memory/4560-131-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\rgujhwtu\rgujhwtu.cmdline

MD5 b779bea2df27c24fae487044a03f345d
SHA1 809b19fb99e183a38ad63117981a12dabcabb06c
SHA256 0b0ee49dffe0415a51ea6b6d552732c15656f2f91202d6c7e629c230654b1b57
SHA512 46fc3ed5df841cb314b8070f9ee4742d0e57d9680f2bb7e975ec96e0d819230b6c83af2e56dadaca4c337d57b08e2696376cc962c29aa9dcced5cab7032bb90d

\??\c:\Users\Admin\AppData\Local\Temp\rgujhwtu\rgujhwtu.0.cs

MD5 f76e24b577ae3ca4ef100472dee389a2
SHA1 5c340ef70538d5c6806e2922a03dc5ee8498f0a6
SHA256 5631be274722ef2bd02138122f9037e4f1d47f91f2e09bcba3f4587e4d46e378
SHA512 e73185008beb0dcce849615cf127575a05aece9cd904adfbb08baca5eb6f4c2037e5b24aa1cef8e0e82b4e0313f3de960515a6dc9c019cdc5fd809508efea7f6

memory/4228-134-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\rgujhwtu\CSC1FF1BC66F9D44AD7955C692FBC9D867.TMP

MD5 87160649f58a0b6bc0718f8e3cf40385
SHA1 e1197d1d40605575af04859e8b5005ef3f6f98cc
SHA256 c25cc53d0ccdb7f479d21683665c96a088c3b789c54a817fb12e5f33fbbf49d6
SHA512 32c8bf97e59837c2e35d8ab6311c372ae4b921a2bb122fe5d3fb8dd795a6f83cb5b43d027c4649b0939a34e5b36dd8c3001fd47905f597bbcacc9a1fb8348a60

C:\Users\Admin\AppData\Local\Temp\RESE5BC.tmp

MD5 943fdd833790a8424d4fac25d15bca69
SHA1 9b86bfc266f0bea01550af0713fbd32f352207be
SHA256 31bf84d4af34c0bb4b31370a5ca5b7d6f8da74b85e7d5be411d569da2b61a2f0
SHA512 8f7e59e6ddaedf980876d539e70f365cc707082faf0273f660727d3192340c0efc00aaba04921b414b9e03986dcfa7e870499178b6366d67d0f3f0f54be14b80

C:\Users\Admin\AppData\Local\Temp\rgujhwtu\rgujhwtu.dll

MD5 2350394e075b741310d87b0f12892836
SHA1 b515ab3f6cb3ba9e0e00373f297300546516ca48
SHA256 0efaa74e6b6af3a5711db449b99d9c9f95deb93cf0f7605bf8df5dd223997618
SHA512 eba15b04047693cd8e3c8428469497482ecd1f31b032c902b120bcc60f9d3f996e0a7fbe83eb6e06b3be579138b8c1246c0be5067187718f01cf935deed3dd47

C:\Users\Admin\AppData\Local\Temp\rgujhwtu\rgujhwtu.pdb

MD5 91104216422c851a001e0db88074918b
SHA1 edeaba80667fcd335290f5737c64c1a32654349a
SHA256 39bc85e4bf9c30a822a5062cb720cd66866f7530a4d8622310786a344d14d78d
SHA512 92b58fe31d694a83c2b852583696f104da3b6224e4732b3480542ca59882366fffdd20142723ebda734f049927496c18e1fb261fa2471395ca5569561dd86684

memory/448-139-0x0000000005950000-0x00000000059E2000-memory.dmp

memory/448-140-0x0000000006020000-0x00000000060BC000-memory.dmp

memory/1836-141-0x0000000000000000-mapping.dmp

memory/1836-142-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1836-143-0x00000000748C0000-0x0000000074E71000-memory.dmp

memory/1836-144-0x00000000748C0000-0x0000000074E71000-memory.dmp