Analysis

  • max time kernel
    105s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2023 13:35

General

  • Target

    http://193.178.210.59/5.exe

Score
10/10

Malware Config

Extracted

Family

systembc

C2

ar.undata.cc:5320

ar1.undata.cc:5320

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 13 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://193.178.210.59/5.exe
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6be99758,0x7ffc6be99768,0x7ffc6be99778
      2⤵
        PID:3136
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:2
        2⤵
          PID:3560
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
          2⤵
            PID:3532
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
            2⤵
              PID:3084
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:1
              2⤵
                PID:2784
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2776 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:1
                2⤵
                  PID:1960
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4732 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
                  2⤵
                    PID:3712
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4596 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
                    2⤵
                      PID:2648
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
                      2⤵
                        PID:4632
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
                        2⤵
                          PID:4376
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
                          2⤵
                            PID:4388
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4988 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
                            2⤵
                              PID:4844
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4644 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
                              2⤵
                                PID:1796
                              • C:\Users\Admin\Downloads\5.exe
                                "C:\Users\Admin\Downloads\5.exe"
                                2⤵
                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4428
                              • C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe
                                "C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe"
                                2⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious use of SetThreadContext
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: MapViewOfSection
                                PID:1752
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\SysWOW64\cmd.exe"
                                  3⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious behavior: MapViewOfSection
                                  PID:2388
                                  • C:\Windows\SysWOW64\explorer.exe
                                    "C:\Windows\SysWOW64\explorer.exe"
                                    4⤵
                                      PID:4692
                              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                1⤵
                                  PID:5012
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:712
                                  • C:\Users\Admin\Downloads\5.exe
                                    "C:\Users\Admin\Downloads\5.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5012

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    81c180328df394c1c28058ed511297ab

                                    SHA1

                                    aa5cfd7de528eb76d6a1d3d8f904cc5c8c8e5cc2

                                    SHA256

                                    2afd6d95d8d00c3ad99d13518649e8e302ab58472c3b7104b255b59d8ff694b0

                                    SHA512

                                    3b52692b21d37176dfc739e598d1da835806b583e2bdead07b8bca704e3a1b295ef12a959c06be4d8ae5d9b37687350b2e40f7e8ee7997f80b202a1e13a0c7da

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    d1b6bb951028e68210bc3a946f855872

                                    SHA1

                                    f79fe7428b84318f5fe586e68611789bd02b3496

                                    SHA256

                                    e10954334c5c8a62139a99b7db1520581f8095792c560b09ade1bee7597ce6e4

                                    SHA512

                                    4acf67fab99c91247539653e22ed6d2bf9d108d7bed56c50ff9ef79044604d2acefb5202fc2d6f0ebafca186818e563e13c7856dfe48d45c0747d6e4f9b81060

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    f6e5f5da12b8bba53c999032c8f2df88

                                    SHA1

                                    fc239ed6abed5ded0dfc08a2586f9689e70333a9

                                    SHA256

                                    abf1ba698eb1c07746a3b145069a6ec65a03f88f45d149561553e5c655d270a8

                                    SHA512

                                    9a1c7544b84598a60c7fdf24dcd67fad708a7d0e3b2abf823a5c3acbf90a0e7fae2dd20434a59406ab312da39fc3ea3383cb2f00dc8cf7934a3b27217c5996ea

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                    Filesize

                                    87KB

                                    MD5

                                    b120af399ac0199c01e9ffc9e7ab9018

                                    SHA1

                                    150225c8a8b1b5f14f4bae0346b17be8618a8507

                                    SHA256

                                    232c4fa4875121ce68e0212b4468b7b6e53e16f9d208f81b36c0f900777e1c52

                                    SHA512

                                    c0e1af11022ed5c3390308e12810159a6a5b5cec9f17b94a62a59425b59ec8361fa034709c5b420a38364b06e8d4e33274c8c743a067ceed198cc76123ce8894

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                    Filesize

                                    2B

                                    MD5

                                    99914b932bd37a50b983c5e7c90ae93b

                                    SHA1

                                    bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                    SHA256

                                    44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                    SHA512

                                    27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                  • C:\Users\Admin\AppData\Local\Temp\2f85c524

                                    Filesize

                                    436KB

                                    MD5

                                    27bf707124c569195b24968f0671e38c

                                    SHA1

                                    a05ded737af2fc86f4470ac7bc195a34215c9f17

                                    SHA256

                                    7ad5a7f9b9b536473b34314e51312c1119bc1e83a879154c96f2c86941050b32

                                    SHA512

                                    77f0812e2767328c16a359223943fc80ec93032cb3c176d8944ee3c64c4804386bdcc17eb49b00ebfe8005645c8d052011b29dc0171a42cb4866462b54cf5e87

                                  • C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe

                                    Filesize

                                    168KB

                                    MD5

                                    aef6452711538d9021f929a2a5f633cf

                                    SHA1

                                    205b7fab75e77d1ff123991489462d39128e03f6

                                    SHA256

                                    e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac

                                    SHA512

                                    7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7

                                  • C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe

                                    Filesize

                                    168KB

                                    MD5

                                    aef6452711538d9021f929a2a5f633cf

                                    SHA1

                                    205b7fab75e77d1ff123991489462d39128e03f6

                                    SHA256

                                    e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac

                                    SHA512

                                    7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7

                                  • C:\Users\Admin\AppData\Roaming\activeds\MCoreLib.dll

                                    Filesize

                                    106KB

                                    MD5

                                    815b07c37c83b13457d37ca8c6a7a561

                                    SHA1

                                    746138b85e5611fd058c008411889a15870083cd

                                    SHA256

                                    153c1b5e96e7bc4c9f858c3cc3bc6cd5e09ef68776d95871ca38824c430654c4

                                    SHA512

                                    8949ab1deae036ae785ad20c634519aa368b4768f0dd65c0dc53f8ea70dd7d707c984277b914de14054eb8a044182ff78205e3a02555e377750bb829760b8c31

                                  • C:\Users\Admin\AppData\Roaming\activeds\MCoreLib.dll

                                    Filesize

                                    106KB

                                    MD5

                                    815b07c37c83b13457d37ca8c6a7a561

                                    SHA1

                                    746138b85e5611fd058c008411889a15870083cd

                                    SHA256

                                    153c1b5e96e7bc4c9f858c3cc3bc6cd5e09ef68776d95871ca38824c430654c4

                                    SHA512

                                    8949ab1deae036ae785ad20c634519aa368b4768f0dd65c0dc53f8ea70dd7d707c984277b914de14054eb8a044182ff78205e3a02555e377750bb829760b8c31

                                  • C:\Users\Admin\AppData\Roaming\activeds\MDb.dll

                                    Filesize

                                    205KB

                                    MD5

                                    be1262b27ff4a4349b337cc95b7746e7

                                    SHA1

                                    a88b9a167baedbaef047b862caecb8206548c2f6

                                    SHA256

                                    ab47f3a52c1c2a7f1855c48e2d085e87345590b1fb78353c7070c3b6600843fd

                                    SHA512

                                    d70a9f1113b2b11ff5df3644b97d13cfe1deee1def13e751eabd8e84858e4ae6eb58d45926a1443cafbb7a261bcb61285b4c316014b43c6c6971f7261e13bb96

                                  • C:\Users\Admin\AppData\Roaming\activeds\MDb.dll

                                    Filesize

                                    205KB

                                    MD5

                                    be1262b27ff4a4349b337cc95b7746e7

                                    SHA1

                                    a88b9a167baedbaef047b862caecb8206548c2f6

                                    SHA256

                                    ab47f3a52c1c2a7f1855c48e2d085e87345590b1fb78353c7070c3b6600843fd

                                    SHA512

                                    d70a9f1113b2b11ff5df3644b97d13cfe1deee1def13e751eabd8e84858e4ae6eb58d45926a1443cafbb7a261bcb61285b4c316014b43c6c6971f7261e13bb96

                                  • C:\Users\Admin\AppData\Roaming\activeds\MKernel.dll

                                    Filesize

                                    219KB

                                    MD5

                                    ab9ee0529bab6495e65bf7d25c2476a2

                                    SHA1

                                    4438dc373b04cbab0320ccdf3ec5da8fb85f5f4f

                                    SHA256

                                    4f3e310c5b4fe873a91b19db66e2c1b69a30b4bf7362570d6b1d7d5105a4b0a9

                                    SHA512

                                    05f4018f370ac18e32ab2c2642430154b5050948b12f0822024c960ffed94dc65469c22f01d67d0948fc1aa3eea16d3f0b47569275e87aacd934b74e83e2e7b4

                                  • C:\Users\Admin\AppData\Roaming\activeds\MKernel.dll

                                    Filesize

                                    219KB

                                    MD5

                                    ab9ee0529bab6495e65bf7d25c2476a2

                                    SHA1

                                    4438dc373b04cbab0320ccdf3ec5da8fb85f5f4f

                                    SHA256

                                    4f3e310c5b4fe873a91b19db66e2c1b69a30b4bf7362570d6b1d7d5105a4b0a9

                                    SHA512

                                    05f4018f370ac18e32ab2c2642430154b5050948b12f0822024c960ffed94dc65469c22f01d67d0948fc1aa3eea16d3f0b47569275e87aacd934b74e83e2e7b4

                                  • C:\Users\Admin\AppData\Roaming\activeds\MSVCP71.dll

                                    Filesize

                                    488KB

                                    MD5

                                    561fa2abb31dfa8fab762145f81667c2

                                    SHA1

                                    c8ccb04eedac821a13fae314a2435192860c72b8

                                    SHA256

                                    df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

                                    SHA512

                                    7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

                                  • C:\Users\Admin\AppData\Roaming\activeds\MSVCR71.dll

                                    Filesize

                                    340KB

                                    MD5

                                    86f1895ae8c5e8b17d99ece768a70732

                                    SHA1

                                    d5502a1d00787d68f548ddeebbde1eca5e2b38ca

                                    SHA256

                                    8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

                                    SHA512

                                    3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

                                  • C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll

                                    Filesize

                                    824KB

                                    MD5

                                    60a5383ba17d8f519cb4356e28873a14

                                    SHA1

                                    6bf70393d957320a921226c7fcdf352a0a67442d

                                    SHA256

                                    80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f

                                    SHA512

                                    a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12

                                  • C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll

                                    Filesize

                                    824KB

                                    MD5

                                    60a5383ba17d8f519cb4356e28873a14

                                    SHA1

                                    6bf70393d957320a921226c7fcdf352a0a67442d

                                    SHA256

                                    80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f

                                    SHA512

                                    a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12

                                  • C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll

                                    Filesize

                                    824KB

                                    MD5

                                    60a5383ba17d8f519cb4356e28873a14

                                    SHA1

                                    6bf70393d957320a921226c7fcdf352a0a67442d

                                    SHA256

                                    80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f

                                    SHA512

                                    a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12

                                  • C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll

                                    Filesize

                                    385KB

                                    MD5

                                    97d6efb8b8e0b0f03701a7bafc398545

                                    SHA1

                                    0fe11e0b7f47fdec9aaa98b83728c125409e9d5b

                                    SHA256

                                    51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e

                                    SHA512

                                    2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7

                                  • C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll

                                    Filesize

                                    385KB

                                    MD5

                                    97d6efb8b8e0b0f03701a7bafc398545

                                    SHA1

                                    0fe11e0b7f47fdec9aaa98b83728c125409e9d5b

                                    SHA256

                                    51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e

                                    SHA512

                                    2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7

                                  • C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll

                                    Filesize

                                    385KB

                                    MD5

                                    97d6efb8b8e0b0f03701a7bafc398545

                                    SHA1

                                    0fe11e0b7f47fdec9aaa98b83728c125409e9d5b

                                    SHA256

                                    51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e

                                    SHA512

                                    2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7

                                  • C:\Users\Admin\AppData\Roaming\activeds\MUtils.dll

                                    Filesize

                                    619KB

                                    MD5

                                    6da9a492898b66db78f5c9d3fc7ecc64

                                    SHA1

                                    d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4

                                    SHA256

                                    50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c

                                    SHA512

                                    11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e

                                  • C:\Users\Admin\AppData\Roaming\activeds\MUtils.dll

                                    Filesize

                                    619KB

                                    MD5

                                    6da9a492898b66db78f5c9d3fc7ecc64

                                    SHA1

                                    d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4

                                    SHA256

                                    50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c

                                    SHA512

                                    11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e

                                  • C:\Users\Admin\AppData\Roaming\activeds\MUtils.dll

                                    Filesize

                                    619KB

                                    MD5

                                    6da9a492898b66db78f5c9d3fc7ecc64

                                    SHA1

                                    d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4

                                    SHA256

                                    50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c

                                    SHA512

                                    11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e

                                  • C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll

                                    Filesize

                                    764KB

                                    MD5

                                    4f27d1bacaf09d1919484355b341c868

                                    SHA1

                                    f1be78d484235270a1416c6acb20e2915ae050db

                                    SHA256

                                    12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450

                                    SHA512

                                    328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced

                                  • C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll

                                    Filesize

                                    764KB

                                    MD5

                                    4f27d1bacaf09d1919484355b341c868

                                    SHA1

                                    f1be78d484235270a1416c6acb20e2915ae050db

                                    SHA256

                                    12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450

                                    SHA512

                                    328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced

                                  • C:\Users\Admin\AppData\Roaming\activeds\msvcp71.dll

                                    Filesize

                                    488KB

                                    MD5

                                    561fa2abb31dfa8fab762145f81667c2

                                    SHA1

                                    c8ccb04eedac821a13fae314a2435192860c72b8

                                    SHA256

                                    df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

                                    SHA512

                                    7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

                                  • C:\Users\Admin\AppData\Roaming\activeds\msvcr71.dll

                                    Filesize

                                    340KB

                                    MD5

                                    86f1895ae8c5e8b17d99ece768a70732

                                    SHA1

                                    d5502a1d00787d68f548ddeebbde1eca5e2b38ca

                                    SHA256

                                    8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

                                    SHA512

                                    3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

                                  • C:\Users\Admin\AppData\Roaming\activeds\shallop.wmv

                                    Filesize

                                    312KB

                                    MD5

                                    983058d5482f9477c6b4fe17faef85db

                                    SHA1

                                    00d43c0588c8c88c9076b911d65d94d0b0913b69

                                    SHA256

                                    d3b79dee1b597a1901e7c7721b8019b79e555495d234056a85bbf0d7b1fc83a2

                                    SHA512

                                    d8a5589c890faf88dfac93c3f1d4818a6d20db5bd7830366c49247ec20426605c4c4b868eca4e0729a01f56dce3c87bfbe379d2c50f9bf5ffef3afcc50f8163a

                                  • C:\Users\Admin\AppData\Roaming\activeds\xprt6.dll

                                    Filesize

                                    244KB

                                    MD5

                                    d145903e217ddde20ce32ed9e5074e16

                                    SHA1

                                    bdb3265d872f446d7445aae4f2d0beba5dae3bd8

                                    SHA256

                                    9317971d3615415691420d06b06de89b67aea164877b74e308bb9c338ca0eca4

                                    SHA512

                                    00e7df32ab3c8a46b4e8761634ddeac28410f46a9312923f46b1d83376d69489653763661f2c51ac9f85028a11d8496c911eabcb55a19222caf311be61504666

                                  • C:\Users\Admin\AppData\Roaming\activeds\xprt6.dll

                                    Filesize

                                    244KB

                                    MD5

                                    d145903e217ddde20ce32ed9e5074e16

                                    SHA1

                                    bdb3265d872f446d7445aae4f2d0beba5dae3bd8

                                    SHA256

                                    9317971d3615415691420d06b06de89b67aea164877b74e308bb9c338ca0eca4

                                    SHA512

                                    00e7df32ab3c8a46b4e8761634ddeac28410f46a9312923f46b1d83376d69489653763661f2c51ac9f85028a11d8496c911eabcb55a19222caf311be61504666

                                  • C:\Users\Admin\Downloads\5.exe

                                    Filesize

                                    2.4MB

                                    MD5

                                    82cf051811579ee4f1d9978af52f12db

                                    SHA1

                                    34122975ea9238001cb644955a1474f4d33f9e7b

                                    SHA256

                                    2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb

                                    SHA512

                                    1eb2df40b3e98a0289b2ccd51d0d0861c9e967220b745643210ecdda63e2aeebaf5940b2d0a319dd0ffc6754238aa0a897ee261d06528c645740082a07de3b73

                                  • C:\Users\Admin\Downloads\5.exe

                                    Filesize

                                    2.4MB

                                    MD5

                                    82cf051811579ee4f1d9978af52f12db

                                    SHA1

                                    34122975ea9238001cb644955a1474f4d33f9e7b

                                    SHA256

                                    2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb

                                    SHA512

                                    1eb2df40b3e98a0289b2ccd51d0d0861c9e967220b745643210ecdda63e2aeebaf5940b2d0a319dd0ffc6754238aa0a897ee261d06528c645740082a07de3b73

                                  • C:\Users\Admin\Downloads\5.exe

                                    Filesize

                                    2.4MB

                                    MD5

                                    82cf051811579ee4f1d9978af52f12db

                                    SHA1

                                    34122975ea9238001cb644955a1474f4d33f9e7b

                                    SHA256

                                    2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb

                                    SHA512

                                    1eb2df40b3e98a0289b2ccd51d0d0861c9e967220b745643210ecdda63e2aeebaf5940b2d0a319dd0ffc6754238aa0a897ee261d06528c645740082a07de3b73

                                  • C:\Users\Admin\Downloads\Unconfirmed 424777.crdownload

                                    Filesize

                                    2.4MB

                                    MD5

                                    82cf051811579ee4f1d9978af52f12db

                                    SHA1

                                    34122975ea9238001cb644955a1474f4d33f9e7b

                                    SHA256

                                    2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb

                                    SHA512

                                    1eb2df40b3e98a0289b2ccd51d0d0861c9e967220b745643210ecdda63e2aeebaf5940b2d0a319dd0ffc6754238aa0a897ee261d06528c645740082a07de3b73

                                  • \??\pipe\crashpad_1084_ZVTNOYIQAHOVQJSF

                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                  • memory/1752-234-0x00000000737B0000-0x0000000074A04000-memory.dmp

                                    Filesize

                                    18.3MB

                                  • memory/1752-228-0x0000000000A30000-0x0000000000A93000-memory.dmp

                                    Filesize

                                    396KB

                                  • memory/1752-231-0x0000000000AA0000-0x0000000000B71000-memory.dmp

                                    Filesize

                                    836KB

                                  • memory/2388-242-0x00007FFC7A170000-0x00007FFC7A365000-memory.dmp

                                    Filesize

                                    2.0MB

                                  • memory/2388-240-0x00000000737B0000-0x0000000074A04000-memory.dmp

                                    Filesize

                                    18.3MB

                                  • memory/4428-190-0x0000000074090000-0x0000000074321000-memory.dmp

                                    Filesize

                                    2.6MB

                                  • memory/4692-265-0x00007FFC7A170000-0x00007FFC7A365000-memory.dmp

                                    Filesize

                                    2.0MB

                                  • memory/4692-266-0x0000000000D60000-0x0000000000D68000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/4692-267-0x0000000000200000-0x0000000000633000-memory.dmp

                                    Filesize

                                    4.2MB

                                  • memory/4692-268-0x0000000000D60000-0x0000000000D68000-memory.dmp

                                    Filesize

                                    32KB

                                  • memory/4692-269-0x0000000000D60000-0x0000000000D68000-memory.dmp

                                    Filesize

                                    32KB