Malware Analysis Report

2024-11-13 15:44

Sample ID 221029-qapmzahcbp
Target 5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8
SHA256 5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8
Tags
imminent agilenet spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8

Threat Level: Known bad

The file 5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8 was found to be: Known bad.

Malicious Activity Summary

imminent agilenet spyware trojan

Imminent RAT

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-29 13:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-29 13:03

Reported

2022-10-29 18:32

Platform

win7-20220812-en

Max time kernel

154s

Max time network

84s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe"

Signatures

Imminent RAT

trojan spyware imminent

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe:ZONE.identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35436.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\35436.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35436.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\35436.exe
PID 1388 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\35436.exe
PID 1388 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\35436.exe
PID 1388 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\35436.exe
PID 1388 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe
PID 1388 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe
PID 1388 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe
PID 1388 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe
PID 1388 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe
PID 1388 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe
PID 1388 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe
PID 1388 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe
PID 1388 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe

"C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe"

C:\Users\Admin\AppData\Local\Temp\35436.exe

"C:\Users\Admin\AppData\Local\Temp\35436.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe":ZONE.identifier & exit

C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe

"C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 strike44rus.ddns.net udp

Files

memory/1388-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

memory/1388-55-0x00000000740B0000-0x000000007465B000-memory.dmp

memory/1388-56-0x00000000740B0000-0x000000007465B000-memory.dmp

\Users\Admin\AppData\Local\Temp\35436.exe

MD5 4677afdabed8cb27fb7c4127b321023b
SHA1 3e9926e00ed53faa3adbce415d0ad3e15bc8a881
SHA256 450ddaf0193353283cb11a8818320d00b468060088059eb56e43681a7d8a1c4e
SHA512 81ed72901ba26925833ae2e7eb74482735d0e1f2292a538062ad22580a367ee3848be323cdc4f0d4790114ec9eb349be6058e0e486be63c367a7ff6111fa8a1c

memory/1940-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\35436.exe

MD5 4677afdabed8cb27fb7c4127b321023b
SHA1 3e9926e00ed53faa3adbce415d0ad3e15bc8a881
SHA256 450ddaf0193353283cb11a8818320d00b468060088059eb56e43681a7d8a1c4e
SHA512 81ed72901ba26925833ae2e7eb74482735d0e1f2292a538062ad22580a367ee3848be323cdc4f0d4790114ec9eb349be6058e0e486be63c367a7ff6111fa8a1c

\Users\Admin\AppData\Local\Temp\35436.exe

MD5 4677afdabed8cb27fb7c4127b321023b
SHA1 3e9926e00ed53faa3adbce415d0ad3e15bc8a881
SHA256 450ddaf0193353283cb11a8818320d00b468060088059eb56e43681a7d8a1c4e
SHA512 81ed72901ba26925833ae2e7eb74482735d0e1f2292a538062ad22580a367ee3848be323cdc4f0d4790114ec9eb349be6058e0e486be63c367a7ff6111fa8a1c

C:\Users\Admin\AppData\Local\Temp\35436.exe

MD5 4677afdabed8cb27fb7c4127b321023b
SHA1 3e9926e00ed53faa3adbce415d0ad3e15bc8a881
SHA256 450ddaf0193353283cb11a8818320d00b468060088059eb56e43681a7d8a1c4e
SHA512 81ed72901ba26925833ae2e7eb74482735d0e1f2292a538062ad22580a367ee3848be323cdc4f0d4790114ec9eb349be6058e0e486be63c367a7ff6111fa8a1c

memory/1448-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe

MD5 154c3a264fb533d72ad45319517c0727
SHA1 ace750a10e8e2bd4da9c6d2e840db79a7d4a0889
SHA256 5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8
SHA512 7a8337712ce642daab63448def991b3922f8331601fa4670fe8167a837a8958e63cc0bcb705c5176edb7933d186bfba81154f13b6eeaffae85bdcddf21143dc9

\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe

MD5 154c3a264fb533d72ad45319517c0727
SHA1 ace750a10e8e2bd4da9c6d2e840db79a7d4a0889
SHA256 5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8
SHA512 7a8337712ce642daab63448def991b3922f8331601fa4670fe8167a837a8958e63cc0bcb705c5176edb7933d186bfba81154f13b6eeaffae85bdcddf21143dc9

memory/960-66-0x0000000000400000-0x000000000052C000-memory.dmp

memory/960-67-0x0000000000400000-0x000000000052C000-memory.dmp

memory/960-69-0x0000000000400000-0x000000000052C000-memory.dmp

memory/960-70-0x0000000000400000-0x000000000052C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe

MD5 154c3a264fb533d72ad45319517c0727
SHA1 ace750a10e8e2bd4da9c6d2e840db79a7d4a0889
SHA256 5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8
SHA512 7a8337712ce642daab63448def991b3922f8331601fa4670fe8167a837a8958e63cc0bcb705c5176edb7933d186bfba81154f13b6eeaffae85bdcddf21143dc9

memory/960-72-0x0000000000526B5A-mapping.dmp

memory/960-71-0x0000000000400000-0x000000000052C000-memory.dmp

memory/960-78-0x0000000000400000-0x000000000052C000-memory.dmp

memory/960-76-0x0000000000400000-0x000000000052C000-memory.dmp

memory/1388-75-0x00000000740B0000-0x000000007465B000-memory.dmp

memory/960-80-0x00000000740B0000-0x000000007465B000-memory.dmp

memory/1940-81-0x00000000740B0000-0x000000007465B000-memory.dmp

\Users\Admin\AppData\Local\Temp\65285c40-ff11-48bc-abe7-bafc09cc4fc1\AgileDotNetRT.dll

MD5 b00823b0095b4bfaa0c0044e8c9759a5
SHA1 10dfacf94196d3f4a4cf09b9a502eb0c4a1d7e6e
SHA256 fbe82a7b20535f59650af688d4068038d9dca9a5d9bc3083645f8ee87a54f076
SHA512 69301f1d7077e7cb1cc208a143383a8bb0a4d3a75fe88d0a5df180c370d13d5368116cf13b9bbf9e26a84a83cc4328f5f151582c75dd47385f2f9a8966de4dd8

memory/960-83-0x0000000073FA0000-0x0000000073FFB000-memory.dmp

memory/960-84-0x0000000073710000-0x0000000073744000-memory.dmp

memory/960-85-0x00000000740B0000-0x000000007465B000-memory.dmp

memory/960-86-0x0000000073710000-0x0000000073744000-memory.dmp

memory/1940-87-0x00000000740B0000-0x000000007465B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-29 13:03

Reported

2022-10-29 18:32

Platform

win10v2004-20220812-en

Max time kernel

162s

Max time network

197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\35436.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\35436.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\35436.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\35436.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\35436.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe:ZONE.identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35436.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\35436.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35436.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\35436.exe
PID 2052 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\35436.exe
PID 2052 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\35436.exe
PID 2052 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe
PID 2052 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe
PID 2052 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe
PID 2052 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe
PID 2052 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe
PID 2052 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe
PID 2052 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe
PID 2052 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe

"C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe"

C:\Users\Admin\AppData\Local\Temp\35436.exe

"C:\Users\Admin\AppData\Local\Temp\35436.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe":ZONE.identifier & exit

C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe

"C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 strike44rus.ddns.net udp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp
US 8.8.8.8:53 strike44rus.ddns.net udp

Files

memory/2052-132-0x0000000074E20000-0x00000000753D1000-memory.dmp

memory/2052-133-0x0000000074E20000-0x00000000753D1000-memory.dmp

memory/4892-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\35436.exe

MD5 4677afdabed8cb27fb7c4127b321023b
SHA1 3e9926e00ed53faa3adbce415d0ad3e15bc8a881
SHA256 450ddaf0193353283cb11a8818320d00b468060088059eb56e43681a7d8a1c4e
SHA512 81ed72901ba26925833ae2e7eb74482735d0e1f2292a538062ad22580a367ee3848be323cdc4f0d4790114ec9eb349be6058e0e486be63c367a7ff6111fa8a1c

C:\Users\Admin\AppData\Local\Temp\35436.exe

MD5 4677afdabed8cb27fb7c4127b321023b
SHA1 3e9926e00ed53faa3adbce415d0ad3e15bc8a881
SHA256 450ddaf0193353283cb11a8818320d00b468060088059eb56e43681a7d8a1c4e
SHA512 81ed72901ba26925833ae2e7eb74482735d0e1f2292a538062ad22580a367ee3848be323cdc4f0d4790114ec9eb349be6058e0e486be63c367a7ff6111fa8a1c

memory/4892-137-0x0000000074E20000-0x00000000753D1000-memory.dmp

memory/2116-138-0x0000000000000000-mapping.dmp

memory/4104-139-0x0000000000000000-mapping.dmp

memory/4104-140-0x0000000000400000-0x000000000052C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe

MD5 154c3a264fb533d72ad45319517c0727
SHA1 ace750a10e8e2bd4da9c6d2e840db79a7d4a0889
SHA256 5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8
SHA512 7a8337712ce642daab63448def991b3922f8331601fa4670fe8167a837a8958e63cc0bcb705c5176edb7933d186bfba81154f13b6eeaffae85bdcddf21143dc9

C:\Users\Admin\AppData\Local\Temp\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe

MD5 154c3a264fb533d72ad45319517c0727
SHA1 ace750a10e8e2bd4da9c6d2e840db79a7d4a0889
SHA256 5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8
SHA512 7a8337712ce642daab63448def991b3922f8331601fa4670fe8167a837a8958e63cc0bcb705c5176edb7933d186bfba81154f13b6eeaffae85bdcddf21143dc9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\5cf517a87e8b41b05b6f8b69c285aea898e48344e344d6d8ae963f31b6f2b7a8.exe.log

MD5 1cc4c5b51e50ec74a6880b50ecbee28b
SHA1 1ba7bb0e86c3d23fb0dc8bf16798d37afb4c4aba
SHA256 0556734df26e82e363d47748a3ceedd5c23ea4b9ded6e68bd5c373c1c9f8777b
SHA512 5d5532602b381125b24a9bd78781ed722ce0c862214ef17e7d224d269e6e7045c919ab19896dd8d9ae8920726092efe0ffb776a77a9a9539c4a70188d5a4c706

memory/2052-144-0x0000000074E20000-0x00000000753D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65285c40-ff11-48bc-abe7-bafc09cc4fc1\AgileDotNetRT.dll

MD5 b00823b0095b4bfaa0c0044e8c9759a5
SHA1 10dfacf94196d3f4a4cf09b9a502eb0c4a1d7e6e
SHA256 fbe82a7b20535f59650af688d4068038d9dca9a5d9bc3083645f8ee87a54f076
SHA512 69301f1d7077e7cb1cc208a143383a8bb0a4d3a75fe88d0a5df180c370d13d5368116cf13b9bbf9e26a84a83cc4328f5f151582c75dd47385f2f9a8966de4dd8

memory/4104-147-0x0000000074E20000-0x00000000753D1000-memory.dmp

memory/4104-146-0x0000000073BC0000-0x0000000073C1B000-memory.dmp

memory/4104-148-0x00000000732C0000-0x00000000732F4000-memory.dmp

memory/4104-149-0x0000000074E20000-0x00000000753D1000-memory.dmp

memory/4892-150-0x0000000074E20000-0x00000000753D1000-memory.dmp