Malware Analysis Report

2024-11-30 16:02

Sample ID 220712-fgvgpabger
Target 4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4
SHA256 4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4

Threat Level: Known bad

The file 4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4 was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Drops startup file

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-07-12 04:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-12 04:51

Reported

2022-07-12 05:37

Platform

win7-20220414-en

Max time kernel

150s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdCfTQ.url C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1984 set thread context of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1984 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1984 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1984 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1656 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1656 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1656 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1656 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1984 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1984 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe

"C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\um4cjhvh\um4cjhvh.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AC.tmp" "c:\Users\Admin\AppData\Local\Temp\um4cjhvh\CSCDC3B2B7C0004B6CAD404ABCF1B62220.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zynovahk.duckdns.org udp

Files

memory/1984-54-0x0000000000EB0000-0x0000000000F50000-memory.dmp

memory/1656-55-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\um4cjhvh\um4cjhvh.cmdline

MD5 328c28b08993aa4e814d1abef3830d28
SHA1 a144b0f23fcc7e578ff378c8a5b06385355b8024
SHA256 33691ca2dd437492be059b968a073ba28c77357be78c315cae14c75529ffc67b
SHA512 d48c79d75a9b13a78212f70653db1687eb2f897ab000b4dd808c2c253403167d108f94d24806bc0e215b908098914c4dd8cbaa71c1b7c3360a3855fcdc0c4acf

\??\c:\Users\Admin\AppData\Local\Temp\um4cjhvh\um4cjhvh.0.cs

MD5 e1149e216633c8e8c631c7167ce311f6
SHA1 d1d76efb2e300171dfa82d66c55ae601714f8e94
SHA256 85fa29630c6d39bca2e00a45dd8fac6f9074555f2abca832a56f4732fb1bd911
SHA512 06d579f2490d71cf17839bf1dcf750edc5334aee7385165069c07545471a550454f5f9598adfa2827cb2967b94eae9b1325050ca0da7545d04f7430297643061

memory/1992-58-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\um4cjhvh\CSCDC3B2B7C0004B6CAD404ABCF1B62220.TMP

MD5 68737b20d348fb9c323a6931e64b6670
SHA1 64dd15ea0f7a234d4f55874e76e1a7f389d27d48
SHA256 33d4cfd96b67c37935cb7a46e3a59d6b52c15f4ba92c7f241147ca624ee39b3a
SHA512 20baf2154674bb6a2a49b26c8721e405d3baeac0306ed8ef0e13fea2fbf17974b98fdfca667a6314f5bc06adb41496ceed4bae9c62490a2144ac133d2185c817

C:\Users\Admin\AppData\Local\Temp\RES5AC.tmp

MD5 a904b3687c5d1c27b84a1366ff2ca542
SHA1 e1ada9785ac63c66280368b1dca08c9aa01903b1
SHA256 aa4b188bb89987f2399eafd734fc7e0934f33f0d0feb0bfeb8f92508071de5fe
SHA512 47120749302f61ae152759e8460a7fd2e527a9d0bbf104812527debaf2d83e382e14a273a6ba3d6e4260b2c592ae0e5fca5784123fc547c235318dceb229b09a

C:\Users\Admin\AppData\Local\Temp\um4cjhvh\um4cjhvh.pdb

MD5 51e43eb8a7acd744bc2a84dd8fbff96a
SHA1 79b49dca70c80a032c77b9cc19f7481ddd824f93
SHA256 3059ef1095b6359edb763cbf359dd21585a8839bdc8468e3a8eba69f520ee162
SHA512 3d7e40d8f57075bd17a7cbb1647a93444c52d5e786faa51054e319a224379ad129ec281cf050a5cb1933aa9c0ab33e19023dddba1e517326066adba8c88e01e5

C:\Users\Admin\AppData\Local\Temp\um4cjhvh\um4cjhvh.dll

MD5 1c353caa3f70c384b7bbcd164e3d3035
SHA1 9f532e135bcda6c33de68fb0c0228fc2a83e74db
SHA256 6a68fdd92de2e465cb38e9d401f749d4001427e90f7bf058f79c033e04cb9bb1
SHA512 2f3acd3a374531624e43e59638b2e3e58a2be7df24ea608d63a9202e4f79c8a08b8d26e4ce820b87bf2e71d77328fdcef003dd9074e2351d175d61a2bae962a9

memory/1984-63-0x0000000000380000-0x000000000038A000-memory.dmp

memory/1984-64-0x0000000000BE0000-0x0000000000C40000-memory.dmp

memory/1984-65-0x00000000004F0000-0x00000000004FC000-memory.dmp

memory/1984-66-0x00000000753C1000-0x00000000753C3000-memory.dmp

memory/1984-67-0x0000000004350000-0x00000000043A6000-memory.dmp

memory/2040-68-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2040-69-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2040-71-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2040-72-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2040-73-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2040-74-0x0000000000451E5E-mapping.dmp

memory/2040-76-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2040-78-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2040-80-0x0000000074720000-0x0000000074CCB000-memory.dmp

memory/2040-81-0x0000000074720000-0x0000000074CCB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-12 04:51

Reported

2022-07-12 05:37

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdCfTQ.url C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 524 set thread context of 440 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 524 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 524 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 524 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3304 wrote to memory of 4092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3304 wrote to memory of 4092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3304 wrote to memory of 4092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 524 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 524 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 524 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 524 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 524 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 524 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 524 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 524 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 524 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 524 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 524 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe

"C:\Users\Admin\AppData\Local\Temp\4cdba4cf50744aa2b8b62a3567c3fc6936df295c9e9fe4d9677d1f77c88bdad4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zizs2kqu\zizs2kqu.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB7E.tmp" "c:\Users\Admin\AppData\Local\Temp\zizs2kqu\CSC52961BFAB5AE47FE8014776AA1B376A.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 13.107.21.200:443 tcp
US 104.208.16.89:443 tcp
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp

Files

memory/524-130-0x00000000004D0000-0x0000000000570000-memory.dmp

memory/3304-131-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zizs2kqu\zizs2kqu.cmdline

MD5 a6d79951cad18e612ba2a0cde7c5cd55
SHA1 f581a48cd1599d4add4d96c362c1f29add3b3e59
SHA256 f681e62befeab0c3ec6f05b2d0a78ef76d8a9e89a0ac16905e26d94e8c78f8f5
SHA512 15cd2fefe513a20216d7621e5ac81a1af06b91c1ba1a1e1e056a7d7f5dfa92c283ea4dd457a46dfc7e154e93a1266eb1a7e3f8862ad3217a702f654933ee9586

\??\c:\Users\Admin\AppData\Local\Temp\zizs2kqu\zizs2kqu.0.cs

MD5 e1149e216633c8e8c631c7167ce311f6
SHA1 d1d76efb2e300171dfa82d66c55ae601714f8e94
SHA256 85fa29630c6d39bca2e00a45dd8fac6f9074555f2abca832a56f4732fb1bd911
SHA512 06d579f2490d71cf17839bf1dcf750edc5334aee7385165069c07545471a550454f5f9598adfa2827cb2967b94eae9b1325050ca0da7545d04f7430297643061

memory/4092-134-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zizs2kqu\CSC52961BFAB5AE47FE8014776AA1B376A.TMP

MD5 1264be62f63df4947661aec79fc5bc69
SHA1 fce00dc03733a8bb471e51dd11bf2e24cddd313e
SHA256 987a0c4cc78d697d06194ef3f707deaa0d3d1c319d12f5c03a7949a85d7a24ab
SHA512 45b96d48598e1ab234c95460a058ef48730276bb3eb604721b30e9dfb7f464968df2d90c5552aee417ae0cd74c45e618766c3e97e3ac587083208669c641b296

C:\Users\Admin\AppData\Local\Temp\RESEB7E.tmp

MD5 ab3e237bdc750955219edaf282da51b4
SHA1 e3412eeab664706b44e135295aeff2c253ebca90
SHA256 e0681a6ec143c392d5dbfae4f8baa0ee9403e313080b339afa0ef4c37f1f130a
SHA512 0efb3168a736446780189ab16f97339911d939df3f27f665af183d327cbb89233c7287ae6babf7589d28cc69eefbcd89358d81df3e1a25e916fc08046a3450a7

C:\Users\Admin\AppData\Local\Temp\zizs2kqu\zizs2kqu.dll

MD5 16ceacefd4103c7dd8a05ddef0be979e
SHA1 338c01e152415af573a60e6482244ee66f51d290
SHA256 bca4e6a7061ef5a87373024c3f8e40a59cc9861de7c7b43edb8ff10f8798731f
SHA512 8f4c5da85891bf72804d63f60b592be41a11b65be393b293ca63e1767148fbdea07c8e2a099c4622a7da6b167b9be2d9b211e497e4d27ae8eb7eb6e298a170d6

C:\Users\Admin\AppData\Local\Temp\zizs2kqu\zizs2kqu.pdb

MD5 707ff7d4a6825c5d8b4a85cb1df59170
SHA1 9a8a9799395b61cb2d0b8ea1c4cf3f299a14a7e2
SHA256 9400b8b98189734bac1c971088405524d69f6f5cd70bd277aaeae26a6ccf03cd
SHA512 681760681a1375bdf5ee0179d49ec43460a6d205f8c717416591747449a222794d698651e4096c62f68ae2b214441b819d2427dbe29fbff870d039cfaba54b34

memory/524-139-0x0000000004F60000-0x0000000004FF2000-memory.dmp

memory/524-140-0x00000000055C0000-0x000000000565C000-memory.dmp

memory/2856-141-0x0000000000000000-mapping.dmp

memory/440-142-0x0000000000000000-mapping.dmp

memory/440-143-0x0000000000400000-0x0000000000456000-memory.dmp

memory/440-144-0x0000000074A30000-0x0000000074FE1000-memory.dmp

memory/440-145-0x0000000074A30000-0x0000000074FE1000-memory.dmp