Malware Analysis Report

2024-11-30 15:59

Sample ID 220708-jxfj9agdgn
Target 40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960
SHA256 40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960

Threat Level: Known bad

The file 40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960 was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Drops startup file

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-07-08 08:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-08 08:02

Reported

2022-07-08 14:45

Platform

win7-20220414-en

Max time kernel

151s

Max time network

84s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dNkTXF.url C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1708 set thread context of 1924 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1708 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1708 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1708 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1944 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1944 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1944 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1944 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1708 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1708 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1708 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1708 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1708 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1708 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1708 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1708 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1708 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1708 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1708 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1708 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe

"C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fsxqjvni\fsxqjvni.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8E4.tmp" "c:\Users\Admin\AppData\Local\Temp\fsxqjvni\CSCF43CB66A34C4D9C9827ED30FADABE8D.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zynovahk.duckdns.org udp

Files

memory/1708-54-0x0000000000820000-0x0000000000888000-memory.dmp

memory/1944-55-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\fsxqjvni\fsxqjvni.cmdline

MD5 4e5ece883d7a401d2aeda43bfc3b54cf
SHA1 2ce66223a7c30ebdfaa119b72c1567ab87b48d3a
SHA256 192f57ed3da1f0e409af451c8a51b6985bbde23bf48ab28fb8dd671485e1c527
SHA512 03d4a1374e6dba27f104d260485bcd71e135c58ca2dfcfaf398a56e881610f08ee2c7f545d9cec3cc3bc543cecc9dc211abc32737bbea99290ecd93b5b188ef7

\??\c:\Users\Admin\AppData\Local\Temp\fsxqjvni\fsxqjvni.0.cs

MD5 e33624188c3ee62dcff268d6a4da727a
SHA1 b4852044413774311dd91df1b3477b054ca18403
SHA256 ef0fb70ee3f15f43a0a8bbc4cdf8d0fccf944cb0f98287d03b163a18e591fd64
SHA512 643b3ab3fdb29f61bfe53ccc68511af33cf624d4cc32b9db39fce39e990d299f36c9b27d35fa73bc39c4285605aec09c0a71432293b4dfcc5779a729f9d0dea2

memory/1988-58-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\fsxqjvni\CSCF43CB66A34C4D9C9827ED30FADABE8D.TMP

MD5 ea22c22f879c0a7672d0f24938415299
SHA1 9f0dcd36c04648885973e79af8af96f2b0a6cfbf
SHA256 527d1bfdd68a4533d586d3423095a7c7e657750ac65921ae6770fdbdec692174
SHA512 67efe2d5f33885483195032df4713d7da7668c500bc52c63a8d211b977a5c1472a34a578fec89c09786106b2dd99ad484c541dbc7d87f6027415602e7cb5b5e0

C:\Users\Admin\AppData\Local\Temp\RESB8E4.tmp

MD5 ce1c4967ae1c5f6a94e620825bc33fd9
SHA1 8da1b196dd05e12ff5fc8dd09a402943d54e1b15
SHA256 b141821eb39896f75d89b890778ec40421bfe71304a6856e781d6774657f8363
SHA512 154edf07fec7194a3d7d9819391d05b4111e41e646bb8dc5a9cb53f48123e1f25b415d7d7fba6fa1c2677e1b140ceae4862f76976b7a523d53695d8d46900b53

C:\Users\Admin\AppData\Local\Temp\fsxqjvni\fsxqjvni.pdb

MD5 c8f8328153415684b50aec382f3c2d44
SHA1 f125470d93db051d97a4ebbf98e29ecb64a5fa8e
SHA256 a80ef6546f4a1c3ed9a74d2447d0df40eebed16a3ef6e41be0a158cd8d848099
SHA512 7cc6af844dfb0d03b9d61ab79fe5c895f9d3aaea7b74e7895ad8c97d2e72118329c35724dd1b3854b16e9ff9d2fbc8c09254a1af2912c05ea1cc25960e6bf462

C:\Users\Admin\AppData\Local\Temp\fsxqjvni\fsxqjvni.dll

MD5 61a22089f6df03381dd0e3ae2e85cce5
SHA1 6892ac31ac3f2c4e89a5b48b53cd20d1b597ee09
SHA256 d78ea872fad0ebeff7bfbe74799a9f24d162bc252936c60212e3bb72ec581cc2
SHA512 2af32eead40f67b82c29c424cd32ed75e859cf1c1ade431d2cdb9533c95bcfb5b59fbfe6d14f71cda684ceb702f3b2c7d5485da9bf8a195ce4abedab4862292f

memory/1708-63-0x0000000000210000-0x0000000000218000-memory.dmp

memory/1708-64-0x0000000000770000-0x00000000007D0000-memory.dmp

memory/1708-65-0x00000000003A0000-0x00000000003AC000-memory.dmp

memory/1708-66-0x00000000758D1000-0x00000000758D3000-memory.dmp

memory/1708-67-0x0000000004FA0000-0x0000000004FF6000-memory.dmp

memory/1924-68-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1924-69-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1924-71-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1924-72-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1924-73-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1924-74-0x0000000000451E5E-mapping.dmp

memory/1924-76-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1924-78-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1924-80-0x0000000074760000-0x0000000074D0B000-memory.dmp

memory/1924-81-0x0000000074760000-0x0000000074D0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-08 08:02

Reported

2022-07-08 14:45

Platform

win10v2004-20220414-en

Max time kernel

152s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dNkTXF.url C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1272 set thread context of 4388 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1272 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1272 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2172 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2172 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2172 wrote to memory of 2600 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1272 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1272 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1272 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1272 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1272 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1272 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1272 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1272 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe

"C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j2gpao2o\j2gpao2o.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76D6.tmp" "c:\Users\Admin\AppData\Local\Temp\j2gpao2o\CSC738E3168490D4CBF8A67465E693F2E2.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 52.182.141.63:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp
US 8.8.8.8:53 zynovahk.duckdns.org udp

Files

memory/1272-130-0x0000000000C70000-0x0000000000CD8000-memory.dmp

memory/2172-131-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\j2gpao2o\j2gpao2o.cmdline

MD5 d59465ad12157f44fff9ce8d9f61c8c3
SHA1 101bbac90b8edc268e71eaf2ae6bbe250da16abc
SHA256 19220ab762d7271e19192bbc385aed1b848cbe7d74d6a0ddd3b9b01ef059c6b4
SHA512 b9ea4f8d7ea5ae982c163345ee9c803391a9c565e99cf2bc91acaac7a3a550b8cc05d457985d69e537be5a25e6a6bd2f2a2bd522672844367afe117b6c1e2149

\??\c:\Users\Admin\AppData\Local\Temp\j2gpao2o\j2gpao2o.0.cs

MD5 e33624188c3ee62dcff268d6a4da727a
SHA1 b4852044413774311dd91df1b3477b054ca18403
SHA256 ef0fb70ee3f15f43a0a8bbc4cdf8d0fccf944cb0f98287d03b163a18e591fd64
SHA512 643b3ab3fdb29f61bfe53ccc68511af33cf624d4cc32b9db39fce39e990d299f36c9b27d35fa73bc39c4285605aec09c0a71432293b4dfcc5779a729f9d0dea2

memory/2600-134-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\j2gpao2o\CSC738E3168490D4CBF8A67465E693F2E2.TMP

MD5 e2e0dcb03a7a70ead5b0445b17758de5
SHA1 b15a6ea45fab58ade725c69cf60f4d3ad80f2595
SHA256 dc2a0fa158f0eb10b831be34537cc98fcb0969c9e2e18ca65e391367b331e261
SHA512 9cace4381ac90daf0647aaece7125c2db70660b2f3463437c516ffad8d640bc582df8afc1fbfe98b5aa254e3e71a199b81a92caff3fd2987206323493c762925

C:\Users\Admin\AppData\Local\Temp\RES76D6.tmp

MD5 707e74575731c8e99181d3b0757906ed
SHA1 3b7392a69d6c2332985ff2f24ce3485646566ab7
SHA256 b9c0560a84fc73da6ef4f6c7310b61b610550a9f45077672b0710e07e89f3a01
SHA512 761943e9dbe63ac98ce2d96da9725295e7e4e2487df36d1a278cb2a333a7b1c08f33b4e52443372d61c9901b07125471dff58f31128f0f9847c4749c9645ea58

C:\Users\Admin\AppData\Local\Temp\j2gpao2o\j2gpao2o.dll

MD5 b07cbed381421051e55ad3c0bd69b00c
SHA1 872ff262f3804918c5c112c5b7c092d1646410b6
SHA256 175dc95340e01ffd45e144513371919967c38ba5754cd17be5566dff628be3ab
SHA512 b0460052015df2309f828e895654747ab98de8ee7ea9ed514fbf65e7737fdec4c905043b6fc20e057b85712ef6a004f772129eff3a0e9e57541880d5ae413ad2

C:\Users\Admin\AppData\Local\Temp\j2gpao2o\j2gpao2o.pdb

MD5 5b00a4913e9597a0bc4a8487188f489f
SHA1 2db83388f23d26c863c8173b2534ca4fadc50205
SHA256 4ac253952526cd8306bad2ca373f5956e3e2abd9164c453497cb008b85944a90
SHA512 ed91f3df8edb7cac8feaff0aec3ac7afe8393c8b85881cb87efc94ba27e353ab67c9733f57ea2d29a1565030d2199e2125e56d0e10482a5b6212098b59ea49f3

memory/1272-139-0x0000000005650000-0x00000000056E2000-memory.dmp

memory/1272-140-0x0000000005D90000-0x0000000005E2C000-memory.dmp

memory/4388-141-0x0000000000000000-mapping.dmp

memory/4388-142-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4388-143-0x0000000074C60000-0x0000000075211000-memory.dmp

memory/4388-144-0x0000000074C60000-0x0000000075211000-memory.dmp