Malware Analysis Report

2024-11-13 15:44

Sample ID 221029-pgqm6sgagp
Target fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362
SHA256 fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362

Threat Level: Known bad

The file fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362 was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-29 12:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-29 12:18

Reported

2022-10-29 17:37

Platform

win7-20220812-en

Max time kernel

149s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe"

Signatures

Imminent RAT

trojan spyware imminent

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe:ZONE.identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Roaming\lexaos.exe
PID 1280 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Roaming\lexaos.exe
PID 1280 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Roaming\lexaos.exe
PID 1280 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Roaming\lexaos.exe
PID 1280 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe
PID 1280 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe
PID 1280 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe
PID 1280 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe
PID 1280 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe
PID 1280 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe
PID 1280 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe
PID 1280 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe
PID 1280 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe

"C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe"

C:\Users\Admin\AppData\Roaming\lexaos.exe

"C:\Users\Admin\AppData\Roaming\lexaos.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe":ZONE.identifier & exit

C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe

"C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 strike44rus.ddns.net udp

Files

memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

memory/1280-55-0x0000000074110000-0x00000000746BB000-memory.dmp

\Users\Admin\AppData\Roaming\lexaos.exe

MD5 5cf58cc20f968db529a4e71a929dcb7b
SHA1 bca3943516c03a7940c6747d8791ab3d11976e6b
SHA256 45c2950628e3f6c194bfe76606c358b0dd0af9cbe9adb0c699f299fbca522856
SHA512 b9ac14c62733deafb61e5e50be9070bb93fc10feb7dd793f9121ed92471c542b490881efe783646c6b9bafa756306888a03fe052ecf53be6dba6c02013919c2c

memory/1884-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\lexaos.exe

MD5 5cf58cc20f968db529a4e71a929dcb7b
SHA1 bca3943516c03a7940c6747d8791ab3d11976e6b
SHA256 45c2950628e3f6c194bfe76606c358b0dd0af9cbe9adb0c699f299fbca522856
SHA512 b9ac14c62733deafb61e5e50be9070bb93fc10feb7dd793f9121ed92471c542b490881efe783646c6b9bafa756306888a03fe052ecf53be6dba6c02013919c2c

C:\Users\Admin\AppData\Roaming\lexaos.exe

MD5 5cf58cc20f968db529a4e71a929dcb7b
SHA1 bca3943516c03a7940c6747d8791ab3d11976e6b
SHA256 45c2950628e3f6c194bfe76606c358b0dd0af9cbe9adb0c699f299fbca522856
SHA512 b9ac14c62733deafb61e5e50be9070bb93fc10feb7dd793f9121ed92471c542b490881efe783646c6b9bafa756306888a03fe052ecf53be6dba6c02013919c2c

memory/1124-60-0x0000000000000000-mapping.dmp

memory/1348-63-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe

MD5 75ed9790ee27e9d3fccee9c2ab3a413a
SHA1 65d94cde9b36063a61f0a90426e59a68f943d2cd
SHA256 fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362
SHA512 3baf355fdfd3462ec4778696b71437b6a3a5e8d55e9013fcad0c93b8de6f3bc393e905e709c1df9609cbb83a8f020900d84daa4befcc487aa1ce7d8581545844

memory/1348-64-0x0000000000400000-0x000000000044A000-memory.dmp

\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe

MD5 75ed9790ee27e9d3fccee9c2ab3a413a
SHA1 65d94cde9b36063a61f0a90426e59a68f943d2cd
SHA256 fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362
SHA512 3baf355fdfd3462ec4778696b71437b6a3a5e8d55e9013fcad0c93b8de6f3bc393e905e709c1df9609cbb83a8f020900d84daa4befcc487aa1ce7d8581545844

memory/1348-66-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1348-68-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1348-70-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1348-72-0x0000000000444A2E-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe

MD5 75ed9790ee27e9d3fccee9c2ab3a413a
SHA1 65d94cde9b36063a61f0a90426e59a68f943d2cd
SHA256 fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362
SHA512 3baf355fdfd3462ec4778696b71437b6a3a5e8d55e9013fcad0c93b8de6f3bc393e905e709c1df9609cbb83a8f020900d84daa4befcc487aa1ce7d8581545844

memory/1348-75-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1280-77-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/1348-78-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1348-81-0x0000000073B60000-0x000000007410B000-memory.dmp

memory/1884-79-0x000007FEF35B0000-0x000007FEF3FD3000-memory.dmp

memory/1884-82-0x000007FEF2510000-0x000007FEF35A6000-memory.dmp

memory/1348-83-0x0000000073B60000-0x000000007410B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-29 12:18

Reported

2022-10-29 17:37

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe:ZONE.identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3524 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Roaming\lexaos.exe
PID 3524 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Roaming\lexaos.exe
PID 3524 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe
PID 3524 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe
PID 3524 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe
PID 3524 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe
PID 3524 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe
PID 3524 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe
PID 3524 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe
PID 3524 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe

"C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe"

C:\Users\Admin\AppData\Roaming\lexaos.exe

"C:\Users\Admin\AppData\Roaming\lexaos.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe":ZONE.identifier & exit

C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe

"C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe"

Network

Country Destination Domain Proto
US 8.238.20.126:80 tcp
US 8.238.20.126:80 tcp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.253.208.120:80 tcp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.253.208.120:80 tcp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp

Files

memory/3524-132-0x00000000747D0000-0x0000000074D81000-memory.dmp

memory/3524-133-0x00000000747D0000-0x0000000074D81000-memory.dmp

memory/4984-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\lexaos.exe

MD5 5cf58cc20f968db529a4e71a929dcb7b
SHA1 bca3943516c03a7940c6747d8791ab3d11976e6b
SHA256 45c2950628e3f6c194bfe76606c358b0dd0af9cbe9adb0c699f299fbca522856
SHA512 b9ac14c62733deafb61e5e50be9070bb93fc10feb7dd793f9121ed92471c542b490881efe783646c6b9bafa756306888a03fe052ecf53be6dba6c02013919c2c

C:\Users\Admin\AppData\Roaming\lexaos.exe

MD5 5cf58cc20f968db529a4e71a929dcb7b
SHA1 bca3943516c03a7940c6747d8791ab3d11976e6b
SHA256 45c2950628e3f6c194bfe76606c358b0dd0af9cbe9adb0c699f299fbca522856
SHA512 b9ac14c62733deafb61e5e50be9070bb93fc10feb7dd793f9121ed92471c542b490881efe783646c6b9bafa756306888a03fe052ecf53be6dba6c02013919c2c

memory/5040-137-0x0000000000000000-mapping.dmp

memory/1720-138-0x0000000000000000-mapping.dmp

memory/1720-139-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1720-140-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe

MD5 75ed9790ee27e9d3fccee9c2ab3a413a
SHA1 65d94cde9b36063a61f0a90426e59a68f943d2cd
SHA256 fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362
SHA512 3baf355fdfd3462ec4778696b71437b6a3a5e8d55e9013fcad0c93b8de6f3bc393e905e709c1df9609cbb83a8f020900d84daa4befcc487aa1ce7d8581545844

memory/1720-141-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe.log

MD5 cde6529abeea500fb852f29ba0da6115
SHA1 45f2f48492417ae6a0eade8aaa808d3d1d760743
SHA256 d7f4964443470b6729865676d76f5f1f416da633033071c34ea5eb19cdea53b5
SHA512 c95fa7faf6a90f32060dba70f79c4d66c68d6eec587306fb98f36fc3ba5d377ebf9dabf47298b71db208fb10f7ccb4e0ed82236c8f26bcc746552588bbb38234

C:\Users\Admin\AppData\Local\Temp\fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362.exe

MD5 75ed9790ee27e9d3fccee9c2ab3a413a
SHA1 65d94cde9b36063a61f0a90426e59a68f943d2cd
SHA256 fc8c3adbe5d8951e7c078230ac179a27188edd0bd304b1713119dab42c6a8362
SHA512 3baf355fdfd3462ec4778696b71437b6a3a5e8d55e9013fcad0c93b8de6f3bc393e905e709c1df9609cbb83a8f020900d84daa4befcc487aa1ce7d8581545844

memory/3524-146-0x00000000747D0000-0x0000000074D81000-memory.dmp

memory/1720-147-0x00000000747D0000-0x0000000074D81000-memory.dmp

memory/4984-148-0x00007FFB14250000-0x00007FFB14C86000-memory.dmp

memory/1720-149-0x00000000747D0000-0x0000000074D81000-memory.dmp