Analysis Overview
Threat Level: Known bad
The file http://193.178.210.59/5.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
SystemBC
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-11 13:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-11 13:35
Reported
2023-08-11 13:37
Platform
win10v2004-20230703-en
Max time kernel
105s
Max time network
109s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4428 created 1084 | N/A | C:\Users\Admin\Downloads\5.exe | C:\Program Files\Google\Chrome\Application\chrome.exe |
SystemBC
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\5.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1752 set thread context of 2388 | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133362345384122251" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\5.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\5.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\5.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\5.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\5.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://193.178.210.59/5.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6be99758,0x7ffc6be99768,0x7ffc6be99778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2776 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4732 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4596 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4988 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4644 --field-trial-handle=1888,i,6557791884206750538,8359003998900233242,131072 /prefetch:8
C:\Users\Admin\Downloads\5.exe
"C:\Users\Admin\Downloads\5.exe"
C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe
"C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\5.exe
"C:\Users\Admin\Downloads\5.exe"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 193.178.210.59:80 | 193.178.210.59 | tcp |
| US | 193.178.210.59:80 | tcp | |
| US | 8.8.8.8:53 | 59.210.178.193.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | doi.org | udp |
| US | 104.26.9.237:443 | doi.org | tcp |
| US | 8.8.8.8:53 | www.doi.org | udp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| US | 8.8.8.8:53 | i.imgur.com | udp |
| NL | 199.232.148.193:443 | i.imgur.com | tcp |
| US | 8.8.8.8:53 | 237.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.219.227.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.148.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 104.26.9.237:443 | doi.org | tcp |
| US | 104.26.9.237:443 | doi.org | tcp |
| US | 104.26.9.237:443 | doi.org | tcp |
| US | 104.26.9.237:443 | doi.org | tcp |
| US | 104.26.9.237:443 | doi.org | tcp |
| US | 104.26.9.237:443 | doi.org | tcp |
| US | 104.26.9.237:443 | doi.org | tcp |
| US | 104.26.9.237:443 | doi.org | tcp |
| US | 104.26.9.237:443 | doi.org | tcp |
| US | 104.26.9.237:443 | doi.org | tcp |
| US | 104.26.9.237:443 | doi.org | tcp |
| US | 104.26.9.237:443 | doi.org | tcp |
Files
\??\pipe\crashpad_1084_ZVTNOYIQAHOVQJSF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\Downloads\Unconfirmed 424777.crdownload
| MD5 | 82cf051811579ee4f1d9978af52f12db |
| SHA1 | 34122975ea9238001cb644955a1474f4d33f9e7b |
| SHA256 | 2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb |
| SHA512 | 1eb2df40b3e98a0289b2ccd51d0d0861c9e967220b745643210ecdda63e2aeebaf5940b2d0a319dd0ffc6754238aa0a897ee261d06528c645740082a07de3b73 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b120af399ac0199c01e9ffc9e7ab9018 |
| SHA1 | 150225c8a8b1b5f14f4bae0346b17be8618a8507 |
| SHA256 | 232c4fa4875121ce68e0212b4468b7b6e53e16f9d208f81b36c0f900777e1c52 |
| SHA512 | c0e1af11022ed5c3390308e12810159a6a5b5cec9f17b94a62a59425b59ec8361fa034709c5b420a38364b06e8d4e33274c8c743a067ceed198cc76123ce8894 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d1b6bb951028e68210bc3a946f855872 |
| SHA1 | f79fe7428b84318f5fe586e68611789bd02b3496 |
| SHA256 | e10954334c5c8a62139a99b7db1520581f8095792c560b09ade1bee7597ce6e4 |
| SHA512 | 4acf67fab99c91247539653e22ed6d2bf9d108d7bed56c50ff9ef79044604d2acefb5202fc2d6f0ebafca186818e563e13c7856dfe48d45c0747d6e4f9b81060 |
C:\Users\Admin\Downloads\5.exe
| MD5 | 82cf051811579ee4f1d9978af52f12db |
| SHA1 | 34122975ea9238001cb644955a1474f4d33f9e7b |
| SHA256 | 2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb |
| SHA512 | 1eb2df40b3e98a0289b2ccd51d0d0861c9e967220b745643210ecdda63e2aeebaf5940b2d0a319dd0ffc6754238aa0a897ee261d06528c645740082a07de3b73 |
C:\Users\Admin\Downloads\5.exe
| MD5 | 82cf051811579ee4f1d9978af52f12db |
| SHA1 | 34122975ea9238001cb644955a1474f4d33f9e7b |
| SHA256 | 2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb |
| SHA512 | 1eb2df40b3e98a0289b2ccd51d0d0861c9e967220b745643210ecdda63e2aeebaf5940b2d0a319dd0ffc6754238aa0a897ee261d06528c645740082a07de3b73 |
memory/4428-190-0x0000000074090000-0x0000000074321000-memory.dmp
C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe
| MD5 | aef6452711538d9021f929a2a5f633cf |
| SHA1 | 205b7fab75e77d1ff123991489462d39128e03f6 |
| SHA256 | e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac |
| SHA512 | 7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7 |
C:\Users\Admin\AppData\Roaming\activeds\MKernel.dll
| MD5 | ab9ee0529bab6495e65bf7d25c2476a2 |
| SHA1 | 4438dc373b04cbab0320ccdf3ec5da8fb85f5f4f |
| SHA256 | 4f3e310c5b4fe873a91b19db66e2c1b69a30b4bf7362570d6b1d7d5105a4b0a9 |
| SHA512 | 05f4018f370ac18e32ab2c2642430154b5050948b12f0822024c960ffed94dc65469c22f01d67d0948fc1aa3eea16d3f0b47569275e87aacd934b74e83e2e7b4 |
C:\Users\Admin\AppData\Roaming\activeds\MSVCP71.dll
| MD5 | 561fa2abb31dfa8fab762145f81667c2 |
| SHA1 | c8ccb04eedac821a13fae314a2435192860c72b8 |
| SHA256 | df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b |
| SHA512 | 7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43 |
C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll
| MD5 | 97d6efb8b8e0b0f03701a7bafc398545 |
| SHA1 | 0fe11e0b7f47fdec9aaa98b83728c125409e9d5b |
| SHA256 | 51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e |
| SHA512 | 2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7 |
C:\Users\Admin\AppData\Roaming\activeds\MUtils.dll
| MD5 | 6da9a492898b66db78f5c9d3fc7ecc64 |
| SHA1 | d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4 |
| SHA256 | 50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c |
| SHA512 | 11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e |
C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll
| MD5 | 60a5383ba17d8f519cb4356e28873a14 |
| SHA1 | 6bf70393d957320a921226c7fcdf352a0a67442d |
| SHA256 | 80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f |
| SHA512 | a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12 |
memory/1752-228-0x0000000000A30000-0x0000000000A93000-memory.dmp
C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll
| MD5 | 97d6efb8b8e0b0f03701a7bafc398545 |
| SHA1 | 0fe11e0b7f47fdec9aaa98b83728c125409e9d5b |
| SHA256 | 51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e |
| SHA512 | 2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7 |
memory/1752-231-0x0000000000AA0000-0x0000000000B71000-memory.dmp
C:\Users\Admin\AppData\Roaming\activeds\shallop.wmv
| MD5 | 983058d5482f9477c6b4fe17faef85db |
| SHA1 | 00d43c0588c8c88c9076b911d65d94d0b0913b69 |
| SHA256 | d3b79dee1b597a1901e7c7721b8019b79e555495d234056a85bbf0d7b1fc83a2 |
| SHA512 | d8a5589c890faf88dfac93c3f1d4818a6d20db5bd7830366c49247ec20426605c4c4b868eca4e0729a01f56dce3c87bfbe379d2c50f9bf5ffef3afcc50f8163a |
C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll
| MD5 | 60a5383ba17d8f519cb4356e28873a14 |
| SHA1 | 6bf70393d957320a921226c7fcdf352a0a67442d |
| SHA256 | 80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f |
| SHA512 | a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12 |
C:\Users\Admin\AppData\Roaming\activeds\MDb.dll
| MD5 | be1262b27ff4a4349b337cc95b7746e7 |
| SHA1 | a88b9a167baedbaef047b862caecb8206548c2f6 |
| SHA256 | ab47f3a52c1c2a7f1855c48e2d085e87345590b1fb78353c7070c3b6600843fd |
| SHA512 | d70a9f1113b2b11ff5df3644b97d13cfe1deee1def13e751eabd8e84858e4ae6eb58d45926a1443cafbb7a261bcb61285b4c316014b43c6c6971f7261e13bb96 |
C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll
| MD5 | 4f27d1bacaf09d1919484355b341c868 |
| SHA1 | f1be78d484235270a1416c6acb20e2915ae050db |
| SHA256 | 12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450 |
| SHA512 | 328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced |
C:\Users\Admin\AppData\Roaming\activeds\MDb.dll
| MD5 | be1262b27ff4a4349b337cc95b7746e7 |
| SHA1 | a88b9a167baedbaef047b862caecb8206548c2f6 |
| SHA256 | ab47f3a52c1c2a7f1855c48e2d085e87345590b1fb78353c7070c3b6600843fd |
| SHA512 | d70a9f1113b2b11ff5df3644b97d13cfe1deee1def13e751eabd8e84858e4ae6eb58d45926a1443cafbb7a261bcb61285b4c316014b43c6c6971f7261e13bb96 |
C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll
| MD5 | 4f27d1bacaf09d1919484355b341c868 |
| SHA1 | f1be78d484235270a1416c6acb20e2915ae050db |
| SHA256 | 12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450 |
| SHA512 | 328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced |
C:\Users\Admin\AppData\Roaming\activeds\MUtils.dll
| MD5 | 6da9a492898b66db78f5c9d3fc7ecc64 |
| SHA1 | d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4 |
| SHA256 | 50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c |
| SHA512 | 11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e |
C:\Users\Admin\AppData\Roaming\activeds\MUtils.dll
| MD5 | 6da9a492898b66db78f5c9d3fc7ecc64 |
| SHA1 | d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4 |
| SHA256 | 50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c |
| SHA512 | 11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e |
C:\Users\Admin\AppData\Roaming\activeds\msvcr71.dll
| MD5 | 86f1895ae8c5e8b17d99ece768a70732 |
| SHA1 | d5502a1d00787d68f548ddeebbde1eca5e2b38ca |
| SHA256 | 8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe |
| SHA512 | 3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da |
C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll
| MD5 | 60a5383ba17d8f519cb4356e28873a14 |
| SHA1 | 6bf70393d957320a921226c7fcdf352a0a67442d |
| SHA256 | 80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f |
| SHA512 | a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12 |
C:\Users\Admin\AppData\Roaming\activeds\xprt6.dll
| MD5 | d145903e217ddde20ce32ed9e5074e16 |
| SHA1 | bdb3265d872f446d7445aae4f2d0beba5dae3bd8 |
| SHA256 | 9317971d3615415691420d06b06de89b67aea164877b74e308bb9c338ca0eca4 |
| SHA512 | 00e7df32ab3c8a46b4e8761634ddeac28410f46a9312923f46b1d83376d69489653763661f2c51ac9f85028a11d8496c911eabcb55a19222caf311be61504666 |
C:\Users\Admin\AppData\Roaming\activeds\MSVCR71.dll
| MD5 | 86f1895ae8c5e8b17d99ece768a70732 |
| SHA1 | d5502a1d00787d68f548ddeebbde1eca5e2b38ca |
| SHA256 | 8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe |
| SHA512 | 3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da |
C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll
| MD5 | 97d6efb8b8e0b0f03701a7bafc398545 |
| SHA1 | 0fe11e0b7f47fdec9aaa98b83728c125409e9d5b |
| SHA256 | 51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e |
| SHA512 | 2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7 |
memory/1752-234-0x00000000737B0000-0x0000000074A04000-memory.dmp
C:\Users\Admin\AppData\Roaming\activeds\MCoreLib.dll
| MD5 | 815b07c37c83b13457d37ca8c6a7a561 |
| SHA1 | 746138b85e5611fd058c008411889a15870083cd |
| SHA256 | 153c1b5e96e7bc4c9f858c3cc3bc6cd5e09ef68776d95871ca38824c430654c4 |
| SHA512 | 8949ab1deae036ae785ad20c634519aa368b4768f0dd65c0dc53f8ea70dd7d707c984277b914de14054eb8a044182ff78205e3a02555e377750bb829760b8c31 |
C:\Users\Admin\AppData\Roaming\activeds\xprt6.dll
| MD5 | d145903e217ddde20ce32ed9e5074e16 |
| SHA1 | bdb3265d872f446d7445aae4f2d0beba5dae3bd8 |
| SHA256 | 9317971d3615415691420d06b06de89b67aea164877b74e308bb9c338ca0eca4 |
| SHA512 | 00e7df32ab3c8a46b4e8761634ddeac28410f46a9312923f46b1d83376d69489653763661f2c51ac9f85028a11d8496c911eabcb55a19222caf311be61504666 |
C:\Users\Admin\AppData\Roaming\activeds\msvcp71.dll
| MD5 | 561fa2abb31dfa8fab762145f81667c2 |
| SHA1 | c8ccb04eedac821a13fae314a2435192860c72b8 |
| SHA256 | df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b |
| SHA512 | 7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43 |
C:\Users\Admin\AppData\Roaming\activeds\MCoreLib.dll
| MD5 | 815b07c37c83b13457d37ca8c6a7a561 |
| SHA1 | 746138b85e5611fd058c008411889a15870083cd |
| SHA256 | 153c1b5e96e7bc4c9f858c3cc3bc6cd5e09ef68776d95871ca38824c430654c4 |
| SHA512 | 8949ab1deae036ae785ad20c634519aa368b4768f0dd65c0dc53f8ea70dd7d707c984277b914de14054eb8a044182ff78205e3a02555e377750bb829760b8c31 |
C:\Users\Admin\AppData\Roaming\activeds\MKernel.dll
| MD5 | ab9ee0529bab6495e65bf7d25c2476a2 |
| SHA1 | 4438dc373b04cbab0320ccdf3ec5da8fb85f5f4f |
| SHA256 | 4f3e310c5b4fe873a91b19db66e2c1b69a30b4bf7362570d6b1d7d5105a4b0a9 |
| SHA512 | 05f4018f370ac18e32ab2c2642430154b5050948b12f0822024c960ffed94dc65469c22f01d67d0948fc1aa3eea16d3f0b47569275e87aacd934b74e83e2e7b4 |
C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe
| MD5 | aef6452711538d9021f929a2a5f633cf |
| SHA1 | 205b7fab75e77d1ff123991489462d39128e03f6 |
| SHA256 | e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac |
| SHA512 | 7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7 |
memory/2388-240-0x00000000737B0000-0x0000000074A04000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2f85c524
| MD5 | 27bf707124c569195b24968f0671e38c |
| SHA1 | a05ded737af2fc86f4470ac7bc195a34215c9f17 |
| SHA256 | 7ad5a7f9b9b536473b34314e51312c1119bc1e83a879154c96f2c86941050b32 |
| SHA512 | 77f0812e2767328c16a359223943fc80ec93032cb3c176d8944ee3c64c4804386bdcc17eb49b00ebfe8005645c8d052011b29dc0171a42cb4866462b54cf5e87 |
memory/2388-242-0x00007FFC7A170000-0x00007FFC7A365000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 81c180328df394c1c28058ed511297ab |
| SHA1 | aa5cfd7de528eb76d6a1d3d8f904cc5c8c8e5cc2 |
| SHA256 | 2afd6d95d8d00c3ad99d13518649e8e302ab58472c3b7104b255b59d8ff694b0 |
| SHA512 | 3b52692b21d37176dfc739e598d1da835806b583e2bdead07b8bca704e3a1b295ef12a959c06be4d8ae5d9b37687350b2e40f7e8ee7997f80b202a1e13a0c7da |
C:\Users\Admin\Downloads\5.exe
| MD5 | 82cf051811579ee4f1d9978af52f12db |
| SHA1 | 34122975ea9238001cb644955a1474f4d33f9e7b |
| SHA256 | 2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb |
| SHA512 | 1eb2df40b3e98a0289b2ccd51d0d0861c9e967220b745643210ecdda63e2aeebaf5940b2d0a319dd0ffc6754238aa0a897ee261d06528c645740082a07de3b73 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f6e5f5da12b8bba53c999032c8f2df88 |
| SHA1 | fc239ed6abed5ded0dfc08a2586f9689e70333a9 |
| SHA256 | abf1ba698eb1c07746a3b145069a6ec65a03f88f45d149561553e5c655d270a8 |
| SHA512 | 9a1c7544b84598a60c7fdf24dcd67fad708a7d0e3b2abf823a5c3acbf90a0e7fae2dd20434a59406ab312da39fc3ea3383cb2f00dc8cf7934a3b27217c5996ea |
memory/4692-265-0x00007FFC7A170000-0x00007FFC7A365000-memory.dmp
memory/4692-266-0x0000000000D60000-0x0000000000D68000-memory.dmp
memory/4692-267-0x0000000000200000-0x0000000000633000-memory.dmp
memory/4692-268-0x0000000000D60000-0x0000000000D68000-memory.dmp
memory/4692-269-0x0000000000D60000-0x0000000000D68000-memory.dmp