Malware Analysis Report

2024-11-30 15:59

Sample ID 220625-hw19wsaedj
Target 3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832
SHA256 3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832

Threat Level: Known bad

The file 3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832 was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Drops startup file

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-25 07:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-25 07:05

Reported

2022-06-25 08:21

Platform

win7-20220414-en

Max time kernel

202s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSydmB.url C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1928 set thread context of 616 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1928 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1928 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1928 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 812 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 812 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 812 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 812 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1928 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1928 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe

"C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cwqcjm5n\cwqcjm5n.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA78.tmp" "c:\Users\Admin\AppData\Local\Temp\cwqcjm5n\CSCC8A2BC2F1AE1405CB9C81AFD7AA52010.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zynovahk.duckdns.org udp

Files

memory/1928-54-0x0000000000E00000-0x0000000000E74000-memory.dmp

memory/812-55-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\cwqcjm5n\cwqcjm5n.cmdline

MD5 9e4887d19668b0b93af48b552961765b
SHA1 9bb9b16510bd09a4a7b9871f1b633b79758a5725
SHA256 3973f548c98e583c95d96ebabe2d9215fbc302d392adaac76b35b4e51dbc4256
SHA512 64d35fc733cd83666e27ac331e785a2d69983b57d29ee9c0b5c7b6a40c9c0b6db7e59d40c1f96668933cc90b3aba1707b7b566d3d26020221f92ac60516e69d7

\??\c:\Users\Admin\AppData\Local\Temp\cwqcjm5n\cwqcjm5n.0.cs

MD5 2421f4b574d919c0c286f0d76a6d7250
SHA1 d072d0b24b9ebdf33209261f9dd9e7a8d5a04f97
SHA256 ea3369074ef51e126f6044a14693e40d1ff0a46b060b5576f3a81940bd1e95a7
SHA512 5c9c397ee760061001f34ddfc418e34468161ea95bc0f0bdfc4c7f98508be69527763f25fe5134c8cdf0d2ecd57362010f54271bfb0b6289780ace527babd496

memory/2044-58-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\cwqcjm5n\CSCC8A2BC2F1AE1405CB9C81AFD7AA52010.TMP

MD5 b50a7065201ed766ebe65e5727456157
SHA1 007b0fb369baba19304cdf1f6205965ce5ccf694
SHA256 b45ad965bf36c526968327f1a7ae37ddd36d4e565e7e81446666ab5878b1bff9
SHA512 48e06fe218c7d3b5ad16dbf187a906ee4862290a30cdb527289bdc65dc074ed39839da7960c89d7807e316d692cb5e389c462e1c45ee395178313ebec7a5efb8

C:\Users\Admin\AppData\Local\Temp\RESDA78.tmp

MD5 848fc67e2339d2bf273a2af9e236ee85
SHA1 83fe1181a85fa425f90bff784b16eef889cc65ae
SHA256 cb24f19adefcf3238e542a50257ca747470662e8c1a7defb970c887338bd9b9d
SHA512 87939c4df714ca2864a9e1724d606c76f3d2b427d506270c08af7f97ff9aab55524bd3adb580a944d4595f2363367c2eadcac89768ed526ea085bcd3c02b4484

C:\Users\Admin\AppData\Local\Temp\cwqcjm5n\cwqcjm5n.dll

MD5 24b780f9580309b9e449c43ecc487f82
SHA1 43c56f3ed49098d916dd6dfdaf56796d5c371dc9
SHA256 693dc8f84c8dbe183dae1dfd038dbd66408afe1ad5bd28879a500c7a551d4640
SHA512 2fa9a891241eaf7c93306ec615dbc407467f6241f8f0e6404289d08e5752f246ea6bc6cf8f12b8b69e61ab62245b55e4426b9c922c77788b88221c257e61cbb9

C:\Users\Admin\AppData\Local\Temp\cwqcjm5n\cwqcjm5n.pdb

MD5 c6ab4a1384aea3a1250ddb2f0735c59d
SHA1 32b22ae8eb4483a4f60655dc338f1f237b3f54fe
SHA256 ddd2feb107e3464bd661178fff7159349b280042cbdad7b3cb91ed3977e6f4f2
SHA512 4a18268612a19951967546b90968fe5c0a4212d937181815ec7dd1c98e5f9ec8ed5c48c5ee9c19642e33ce01d36c978a69457509e85aa36b6658b5399c6570b4

memory/1928-63-0x00000000003E0000-0x00000000003E8000-memory.dmp

memory/1928-64-0x0000000000C50000-0x0000000000CB0000-memory.dmp

memory/1928-65-0x00000000004A0000-0x00000000004AC000-memory.dmp

memory/1928-66-0x0000000076851000-0x0000000076853000-memory.dmp

memory/1928-67-0x0000000004870000-0x00000000048C6000-memory.dmp

memory/616-68-0x0000000000400000-0x0000000000456000-memory.dmp

memory/616-69-0x0000000000400000-0x0000000000456000-memory.dmp

memory/616-72-0x0000000000400000-0x0000000000456000-memory.dmp

memory/616-71-0x0000000000400000-0x0000000000456000-memory.dmp

memory/616-74-0x0000000000451E5E-mapping.dmp

memory/616-73-0x0000000000400000-0x0000000000456000-memory.dmp

memory/616-76-0x0000000000400000-0x0000000000456000-memory.dmp

memory/616-78-0x0000000000400000-0x0000000000456000-memory.dmp

memory/616-80-0x0000000074F00000-0x00000000754AB000-memory.dmp

memory/616-81-0x0000000074F00000-0x00000000754AB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-25 07:05

Reported

2022-06-25 08:21

Platform

win10v2004-20220414-en

Max time kernel

158s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSydmB.url C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1640 set thread context of 4592 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1640 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1640 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1296 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1296 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1296 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1640 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1640 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1640 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1640 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1640 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1640 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1640 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1640 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe

"C:\Users\Admin\AppData\Local\Temp\3a0302895b0f7577b066f76bf860208072b7859b72fce27af3392fba23225832.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yf2s3nrj\yf2s3nrj.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64A5.tmp" "c:\Users\Admin\AppData\Local\Temp\yf2s3nrj\CSC627A4CBA2364EA1A72068F7789D464.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
NL 20.50.201.200:443 tcp
NL 67.26.111.254:80 tcp
NL 67.26.111.254:80 tcp
NL 67.26.111.254:80 tcp
US 13.107.21.200:443 tcp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp

Files

memory/1640-130-0x00000000006A0000-0x0000000000714000-memory.dmp

memory/1296-131-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\yf2s3nrj\yf2s3nrj.cmdline

MD5 9f8f52ad88932382ec5351b8eb483e64
SHA1 9ba18ac1f30a465e05dfc10d9aa1ae857eee9a5d
SHA256 ae96b23d3cb1859172ef35ee17db59777b1d5de597ace0808208d5d0444d7119
SHA512 bd9c92607955dffb0fd6a3d2d12c52040f7a8afcff927b3328f78f24614508ca9142c09c5e53a13376476302d380fd6811b3d6f9b2ac51cc9e7eca27da36c5e0

\??\c:\Users\Admin\AppData\Local\Temp\yf2s3nrj\yf2s3nrj.0.cs

MD5 2421f4b574d919c0c286f0d76a6d7250
SHA1 d072d0b24b9ebdf33209261f9dd9e7a8d5a04f97
SHA256 ea3369074ef51e126f6044a14693e40d1ff0a46b060b5576f3a81940bd1e95a7
SHA512 5c9c397ee760061001f34ddfc418e34468161ea95bc0f0bdfc4c7f98508be69527763f25fe5134c8cdf0d2ecd57362010f54271bfb0b6289780ace527babd496

memory/1512-134-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\yf2s3nrj\CSC627A4CBA2364EA1A72068F7789D464.TMP

MD5 fcc8d294a441071554b3ea9bdc6dc735
SHA1 0062ae25b0e570dc6e6d940736eac4aa5e39f2e1
SHA256 2e9bcac718dfe2ba70c6d70e8c76a156e01a735bb50d357f5fe5ccd1f1719f23
SHA512 4a8f4f24a1edab1ed03ff53ab6530ea363d933c5bc62b02367f6cfdb133f991db7b360b0c6546acabdbfca0fff4efc64aa95f69ce42877c68d9976a952fc8841

C:\Users\Admin\AppData\Local\Temp\RES64A5.tmp

MD5 d42ab9788924a6aabd3b28ab0d2794bf
SHA1 e283de131ee8015488e9c5a3d04e6c9d73ffb78e
SHA256 bdf4fe08c466c4466c1fa07749ed0974a1d83670201930d3b5b23a3de1a3cf27
SHA512 24eb276fb31e9e58d724521cdcfa665c2dc08f9ec45e980ba5aa876fa9cced9d78707501737a80cd32aa4621b51d93d3fca0b3dbb0ead241c3ef84a17c23f726

C:\Users\Admin\AppData\Local\Temp\yf2s3nrj\yf2s3nrj.dll

MD5 7db050640cb2b4b414d56bff95a35ced
SHA1 cc52eeb148791f72fd33b4869e4b78027016eb4e
SHA256 65715826c37b7edb508daeae8acada8f5ca9249e97cd3b8ac36b62a07fa6d837
SHA512 a327bd2cc3c247802a96300942af56ac4f965b1af39ba67b1431b5c3cad2818b8035220f00c340ca71490f43952f821a8408cdd7e339278b4c400120ef789fbf

C:\Users\Admin\AppData\Local\Temp\yf2s3nrj\yf2s3nrj.pdb

MD5 12c82bf70afcb0bb8a2904c4ed4c813a
SHA1 c90a0cd8744b6189442a8fe32d717a6a71437f04
SHA256 3246de4d50189ae11b38f8aac4f51627c0510960da668b72e3f67892f1cfe00c
SHA512 252f0d160e5ab6d9a97b10c1b3e564d58954763a0dcce334d1637156b9f19a581e6d330fccd123565cde135e6c6ade73c11578528cbefbf28663c91dea93ce34

memory/1640-139-0x00000000050E0000-0x0000000005172000-memory.dmp

memory/1640-140-0x0000000005780000-0x000000000581C000-memory.dmp

memory/4592-141-0x0000000000000000-mapping.dmp

memory/4592-142-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4592-143-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/4592-144-0x0000000074DD0000-0x0000000075381000-memory.dmp