Malware Analysis Report

2024-11-30 16:02

Sample ID 220707-vxgyvscedp
Target 450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6
SHA256 450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6
Tags
imminent persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6

Threat Level: Known bad

The file 450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6 was found to be: Known bad.

Malicious Activity Summary

imminent persistence spyware trojan

Imminent RAT

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-07 17:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-07 17:21

Reported

2022-07-07 17:48

Platform

win7-20220414-en

Max time kernel

150s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskbars.url C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Users\\Admin\\AppData\\Roaming\\test\\test.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1684 set thread context of 860 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1684 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1684 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1684 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2000 wrote to memory of 960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2000 wrote to memory of 960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2000 wrote to memory of 960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2000 wrote to memory of 960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1684 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1684 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe

"C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q1xxjoxh\q1xxjoxh.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1008.tmp" "c:\Users\Admin\AppData\Local\Temp\q1xxjoxh\CSC7B58E4C29DC94A0B9D4414596C95D252.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

N/A

Files

memory/1684-54-0x00000000010C0000-0x0000000001142000-memory.dmp

memory/2000-55-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\q1xxjoxh\q1xxjoxh.cmdline

MD5 184b64553d952c7ffe8ea8e93a091b50
SHA1 eea3d4caf945d2e7007d3edc654cd7308ae1bd0d
SHA256 5f8a47d0b6179c2091ce883b4fd73e29437e4a62c06a2e730890d97bcae7a12c
SHA512 953e075b1ca39cf27657d53bc6dec4ef4370611bc5af930999ad0b4b20bc68380931fc2e426dea19eeb1a96e5bb1b34a96abe25a33165eef997ee4145b88d6e4

\??\c:\Users\Admin\AppData\Local\Temp\q1xxjoxh\q1xxjoxh.0.cs

MD5 63c88284f9f853ad7f35d419efd6f5ce
SHA1 e372ea3471ee9db9ad16e8ab7c1498e3f5d4cbca
SHA256 27b7d30958b1ebd854e7dcc56dae436ef01a2f7fc21ad4391014397d13fb4456
SHA512 2ce08e330a6b15629811011684da414671bb917eca188960c25b68a255de8895083e39c3cdee351948e895630bb5234e66445240b0f2817d6b70d007eaa075d8

\??\c:\Users\Admin\AppData\Local\Temp\q1xxjoxh\CSC7B58E4C29DC94A0B9D4414596C95D252.TMP

MD5 c57463fb9b914cc7898c4ac67f11ee9a
SHA1 6bbeb5551992bb50c8d9af175abe70466023a385
SHA256 eced3d5e513afe9c18ab9e8ec1eb961faff40f545bbf01e1c1cffba6f68a6e8a
SHA512 31dae4e4f0b13c8c59f8a8098fd35a0083071114fe754f6e9e0103ef98e857696a2e09d5225f924ddbd520334c4c196c592a9282777abaa5a9a9433fb4873604

memory/960-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RES1008.tmp

MD5 e413f9dbd9e9f65734f9c7d9daade83b
SHA1 67c8efe7729e4a9443157e1f14116be8a469a86b
SHA256 70ce6bc52eb9ddf5b8c004b08b075d3b8299883751c1d2f2805bcd1a2d469489
SHA512 84de44fe5769a3867dbd2d09d904bb21adfb8621bb670de8261a8975c588eb686b5641ce4aa07215c9432604b423b83e8fab629a8a81694d15f80e8894af41c0

C:\Users\Admin\AppData\Local\Temp\q1xxjoxh\q1xxjoxh.pdb

MD5 90765020fd71735ec2ece93397b99350
SHA1 961ed5a1d5f30dd8d6a2c96360ffb6e1c89f9ae1
SHA256 747bba9e7500c79915cb3b93f5489e5b34b5adeb03ce337b224a1d20e859fdaa
SHA512 245e12fa14d6105e4ef961045a355e204f882d5e4f2205ffd1ca52bacf5557e0288ee2fb35f6841b21c8b5cd91f6a3874a5dfe26b0688f80054a0a5eb1bfb53c

C:\Users\Admin\AppData\Local\Temp\q1xxjoxh\q1xxjoxh.dll

MD5 9159490f77162b32d93a3b7dd87398e9
SHA1 896155c6ed96abd01dc1e6aacd93e3133e38a4f8
SHA256 e362ba6fd7b4cbce399ee10d39a3ad4b61f35a83c68b4abdf4a06ee7a445abd8
SHA512 00e62f7673075b9c6dc9fdee5dff48ce844813ac84893a2e4be17dafca221c918fc148218c898364de6dd91eaf0d82e2424c9a7be7e6e700b12e806031e7333d

memory/1684-63-0x0000000000420000-0x0000000000428000-memory.dmp

memory/1684-64-0x0000000000EB0000-0x0000000000F10000-memory.dmp

memory/1684-65-0x0000000000470000-0x000000000047C000-memory.dmp

memory/1684-66-0x00000000752D1000-0x00000000752D3000-memory.dmp

memory/1684-67-0x00000000050E0000-0x0000000005136000-memory.dmp

memory/860-68-0x0000000000400000-0x0000000000456000-memory.dmp

memory/860-69-0x0000000000400000-0x0000000000456000-memory.dmp

memory/860-71-0x0000000000400000-0x0000000000456000-memory.dmp

memory/860-72-0x0000000000400000-0x0000000000456000-memory.dmp

memory/860-73-0x0000000000400000-0x0000000000456000-memory.dmp

memory/860-74-0x00000000004519BE-mapping.dmp

memory/860-76-0x0000000000400000-0x0000000000456000-memory.dmp

memory/860-78-0x0000000000400000-0x0000000000456000-memory.dmp

memory/860-80-0x0000000074340000-0x00000000748EB000-memory.dmp

memory/860-81-0x00000000004C6000-0x00000000004D7000-memory.dmp

memory/860-82-0x0000000074340000-0x00000000748EB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-07 17:21

Reported

2022-07-07 17:49

Platform

win10v2004-20220414-en

Max time kernel

170s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskbars.url C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "\\test\\test.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Users\\Admin\\AppData\\Roaming\\test\\test.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4156 set thread context of 400 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4156 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4156 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4156 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3732 wrote to memory of 1368 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3732 wrote to memory of 1368 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3732 wrote to memory of 1368 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4156 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4156 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4156 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4156 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4156 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4156 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4156 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4156 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe

"C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xsbyxdbf\xsbyxdbf.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDED.tmp" "c:\Users\Admin\AppData\Local\Temp\xsbyxdbf\CSCBFFB7093E8C4438B34E803642621048.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

Country Destination Domain Proto
US 20.189.173.6:443 tcp

Files

memory/4156-130-0x00000000009B0000-0x0000000000A32000-memory.dmp

memory/3732-131-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xsbyxdbf\xsbyxdbf.cmdline

MD5 05197b725ae4a74d82f5fd5cb4a16134
SHA1 acb54c6228aa42ad1a181e9cba44f766f046a3b2
SHA256 6cd9575f2c0146c5dd2303481de0612c8116d6262c5f656b407e80ef55108a54
SHA512 51cad9c2d2dd57e72569db1e7087a46c6ca1495fdbfdd52c0f224e5c8be9d7c244afba8cf01a3fb9fadf013c4244157b4b649bdb0e548b10daff28b5ecf92a95

\??\c:\Users\Admin\AppData\Local\Temp\xsbyxdbf\xsbyxdbf.0.cs

MD5 63c88284f9f853ad7f35d419efd6f5ce
SHA1 e372ea3471ee9db9ad16e8ab7c1498e3f5d4cbca
SHA256 27b7d30958b1ebd854e7dcc56dae436ef01a2f7fc21ad4391014397d13fb4456
SHA512 2ce08e330a6b15629811011684da414671bb917eca188960c25b68a255de8895083e39c3cdee351948e895630bb5234e66445240b0f2817d6b70d007eaa075d8

memory/1368-134-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xsbyxdbf\CSCBFFB7093E8C4438B34E803642621048.TMP

MD5 5fdc5584275f20a0044ef406185fad84
SHA1 eb06f6489b8c395832b49aaa31447ba6ba710d21
SHA256 c69a789021b165df00135ff843ba199b411f387add9d90da5f5c68e2d1c5b8ef
SHA512 8223296b21de6a941c3f80715aa20d1f1fbfa02e3b06fcc6d3f65d35df0d2f5b4c6a0e5a3599d40fa4560781dc2434bdbf76e7f052faed3f206ba0b5a4881ff9

C:\Users\Admin\AppData\Local\Temp\RESFDED.tmp

MD5 af0eb48b7b17fbdbcbeb112acd57e0c1
SHA1 ce2ec136e2cfc9b59a58683f6a6fe4898496c8c1
SHA256 26d048fd04ceb333780c718122d8852c87f0818cd6c92eba259fc8391ee83059
SHA512 72d4651d7fe2c706a526f1aabad69a06ca2900ac2495bfe8a5217fea9ddcb71ca72edc3f4ab408bdcf45d093e921d70562dc06f5c98a93d28b772aa63d1ff675

C:\Users\Admin\AppData\Local\Temp\xsbyxdbf\xsbyxdbf.dll

MD5 8b62ae1853dc76f8f2594333ec3f6b87
SHA1 0444b0fa981bf02922e0f5c49ae35c21db83d6f3
SHA256 a144ec153353c8cfc9bcf58c0f5a1c34704485a81bd3e5b9337f65270092be09
SHA512 4f950d563d280b8015d1756098f59962957a146047dc14fb29457273c1c58deaaf8ad36611b6312efcc3eee0c86bbeb76f2043c0e204e2650fb999392ed71534

C:\Users\Admin\AppData\Local\Temp\xsbyxdbf\xsbyxdbf.pdb

MD5 a53e8cfd94ce59a7f6cf15c55375113e
SHA1 b5dccadc2ea3a72b2400e30a73eb6a603039f15e
SHA256 f0aabf418def0253e339bf829bb00c57731a662a7cb82421320761658ad460c1
SHA512 95fc2e45eb8cf3cf9ef36d473205d14a06f6428c886ae4e1d004b3201faeb7da9faa86a6226b39fb710a32bc2e1902bbcbb0b7604ca5ed147e36d1c99ba950c1

memory/4156-139-0x00000000053D0000-0x0000000005462000-memory.dmp

memory/4156-140-0x0000000005A80000-0x0000000005B1C000-memory.dmp

memory/400-141-0x0000000000000000-mapping.dmp

memory/400-142-0x0000000000400000-0x0000000000456000-memory.dmp

memory/400-143-0x0000000074960000-0x0000000074F11000-memory.dmp

memory/400-144-0x0000000074960000-0x0000000074F11000-memory.dmp