Analysis Overview
SHA256
2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb
Threat Level: Known bad
The file 5.exe.vir was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
SystemBC
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-15 15:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-15 15:32
Reported
2023-08-15 15:35
Platform
win7-20230712-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\5.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\5.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\5.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5.exe
"C:\Users\Admin\AppData\Local\Temp\5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | doi.org | udp |
| US | 172.67.72.147:443 | doi.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.121.76:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | www.doi.org | udp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| US | 8.8.8.8:53 | www.doi.org | udp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| NL | 13.227.219.21:443 | www.doi.org | tcp |
| US | 8.8.8.8:53 | www.doi.org | udp |
| NL | 13.227.219.53:443 | www.doi.org | tcp |
| NL | 13.227.219.53:443 | www.doi.org | tcp |
| NL | 13.227.219.53:443 | www.doi.org | tcp |
| NL | 13.227.219.53:443 | www.doi.org | tcp |
| NL | 13.227.219.53:443 | www.doi.org | tcp |
| NL | 13.227.219.53:443 | www.doi.org | tcp |
| NL | 13.227.219.53:443 | www.doi.org | tcp |
| NL | 13.227.219.53:443 | www.doi.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab8671.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\Local\Temp\Tar874E.tmp
| MD5 | 4ff65ad929cd9a367680e0e5b1c08166 |
| SHA1 | c0af0d4396bd1f15c45f39d3b849ba444233b3a2 |
| SHA256 | c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6 |
| SHA512 | f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 569c0a2fa2f84bc8d528189560f62079 |
| SHA1 | 45c2410c63a79faaff3ccda3c8a7f265f0ef5d98 |
| SHA256 | c16f6f9cc42f82a97b3f5daa17e5b898a26695efede93e9621c9bf51465bede6 |
| SHA512 | 484dc5c0473544b9c360d2811437e89672ed7c9cf789a337f42c2caee49d026e65d713471775fafbd7f20c764d7a87ce8fd31a96f8e52da912a3765cb9d7c573 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-15 15:32
Reported
2023-08-15 15:35
Platform
win10v2004-20230703-en
Max time kernel
145s
Max time network
135s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4684 created 3088 | N/A | C:\Users\Admin\AppData\Local\Temp\5.exe | C:\Windows\Explorer.EXE |
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4832 set thread context of 3312 | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\5.exe
"C:\Users\Admin\AppData\Local\Temp\5.exe"
C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe
"C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | doi.org | udp |
| US | 172.67.72.147:443 | doi.org | tcp |
| US | 8.8.8.8:53 | www.doi.org | udp |
| NL | 13.227.219.102:443 | www.doi.org | tcp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.72.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.imgur.com | udp |
| NL | 199.232.148.193:443 | i.imgur.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.148.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.219.227.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/4684-134-0x00000000741B0000-0x0000000074441000-memory.dmp
C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe
| MD5 | aef6452711538d9021f929a2a5f633cf |
| SHA1 | 205b7fab75e77d1ff123991489462d39128e03f6 |
| SHA256 | e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac |
| SHA512 | 7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7 |
C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe
| MD5 | aef6452711538d9021f929a2a5f633cf |
| SHA1 | 205b7fab75e77d1ff123991489462d39128e03f6 |
| SHA256 | e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac |
| SHA512 | 7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7 |
C:\Users\Admin\AppData\Roaming\activeds\MKernel.dll
| MD5 | ab9ee0529bab6495e65bf7d25c2476a2 |
| SHA1 | 4438dc373b04cbab0320ccdf3ec5da8fb85f5f4f |
| SHA256 | 4f3e310c5b4fe873a91b19db66e2c1b69a30b4bf7362570d6b1d7d5105a4b0a9 |
| SHA512 | 05f4018f370ac18e32ab2c2642430154b5050948b12f0822024c960ffed94dc65469c22f01d67d0948fc1aa3eea16d3f0b47569275e87aacd934b74e83e2e7b4 |
C:\Users\Admin\AppData\Roaming\activeds\MUtils.dll
| MD5 | 6da9a492898b66db78f5c9d3fc7ecc64 |
| SHA1 | d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4 |
| SHA256 | 50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c |
| SHA512 | 11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e |
C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll
| MD5 | 4f27d1bacaf09d1919484355b341c868 |
| SHA1 | f1be78d484235270a1416c6acb20e2915ae050db |
| SHA256 | 12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450 |
| SHA512 | 328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced |
C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll
| MD5 | 4f27d1bacaf09d1919484355b341c868 |
| SHA1 | f1be78d484235270a1416c6acb20e2915ae050db |
| SHA256 | 12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450 |
| SHA512 | 328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced |
C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll
| MD5 | 4f27d1bacaf09d1919484355b341c868 |
| SHA1 | f1be78d484235270a1416c6acb20e2915ae050db |
| SHA256 | 12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450 |
| SHA512 | 328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced |
C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll
| MD5 | 60a5383ba17d8f519cb4356e28873a14 |
| SHA1 | 6bf70393d957320a921226c7fcdf352a0a67442d |
| SHA256 | 80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f |
| SHA512 | a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12 |
C:\Users\Admin\AppData\Roaming\activeds\MDb.dll
| MD5 | be1262b27ff4a4349b337cc95b7746e7 |
| SHA1 | a88b9a167baedbaef047b862caecb8206548c2f6 |
| SHA256 | ab47f3a52c1c2a7f1855c48e2d085e87345590b1fb78353c7070c3b6600843fd |
| SHA512 | d70a9f1113b2b11ff5df3644b97d13cfe1deee1def13e751eabd8e84858e4ae6eb58d45926a1443cafbb7a261bcb61285b4c316014b43c6c6971f7261e13bb96 |
C:\Users\Admin\AppData\Roaming\activeds\MDb.dll
| MD5 | be1262b27ff4a4349b337cc95b7746e7 |
| SHA1 | a88b9a167baedbaef047b862caecb8206548c2f6 |
| SHA256 | ab47f3a52c1c2a7f1855c48e2d085e87345590b1fb78353c7070c3b6600843fd |
| SHA512 | d70a9f1113b2b11ff5df3644b97d13cfe1deee1def13e751eabd8e84858e4ae6eb58d45926a1443cafbb7a261bcb61285b4c316014b43c6c6971f7261e13bb96 |
memory/4832-173-0x00000000009D0000-0x0000000000A33000-memory.dmp
memory/4832-176-0x0000000000A40000-0x0000000000B11000-memory.dmp
C:\Users\Admin\AppData\Roaming\activeds\shallop.wmv
| MD5 | 983058d5482f9477c6b4fe17faef85db |
| SHA1 | 00d43c0588c8c88c9076b911d65d94d0b0913b69 |
| SHA256 | d3b79dee1b597a1901e7c7721b8019b79e555495d234056a85bbf0d7b1fc83a2 |
| SHA512 | d8a5589c890faf88dfac93c3f1d4818a6d20db5bd7830366c49247ec20426605c4c4b868eca4e0729a01f56dce3c87bfbe379d2c50f9bf5ffef3afcc50f8163a |
C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll
| MD5 | 60a5383ba17d8f519cb4356e28873a14 |
| SHA1 | 6bf70393d957320a921226c7fcdf352a0a67442d |
| SHA256 | 80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f |
| SHA512 | a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12 |
C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll
| MD5 | 97d6efb8b8e0b0f03701a7bafc398545 |
| SHA1 | 0fe11e0b7f47fdec9aaa98b83728c125409e9d5b |
| SHA256 | 51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e |
| SHA512 | 2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7 |
C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll
| MD5 | 97d6efb8b8e0b0f03701a7bafc398545 |
| SHA1 | 0fe11e0b7f47fdec9aaa98b83728c125409e9d5b |
| SHA256 | 51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e |
| SHA512 | 2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7 |
C:\Users\Admin\AppData\Roaming\activeds\msvcr71.dll
| MD5 | 86f1895ae8c5e8b17d99ece768a70732 |
| SHA1 | d5502a1d00787d68f548ddeebbde1eca5e2b38ca |
| SHA256 | 8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe |
| SHA512 | 3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da |
C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll
| MD5 | 4f27d1bacaf09d1919484355b341c868 |
| SHA1 | f1be78d484235270a1416c6acb20e2915ae050db |
| SHA256 | 12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450 |
| SHA512 | 328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced |
C:\Users\Admin\AppData\Roaming\activeds\xprt6.dll
| MD5 | d145903e217ddde20ce32ed9e5074e16 |
| SHA1 | bdb3265d872f446d7445aae4f2d0beba5dae3bd8 |
| SHA256 | 9317971d3615415691420d06b06de89b67aea164877b74e308bb9c338ca0eca4 |
| SHA512 | 00e7df32ab3c8a46b4e8761634ddeac28410f46a9312923f46b1d83376d69489653763661f2c51ac9f85028a11d8496c911eabcb55a19222caf311be61504666 |
C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll
| MD5 | 60a5383ba17d8f519cb4356e28873a14 |
| SHA1 | 6bf70393d957320a921226c7fcdf352a0a67442d |
| SHA256 | 80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f |
| SHA512 | a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12 |
C:\Users\Admin\AppData\Roaming\activeds\msvcp71.dll
| MD5 | 561fa2abb31dfa8fab762145f81667c2 |
| SHA1 | c8ccb04eedac821a13fae314a2435192860c72b8 |
| SHA256 | df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b |
| SHA512 | 7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43 |
C:\Users\Admin\AppData\Roaming\activeds\MSVCR71.dll
| MD5 | 86f1895ae8c5e8b17d99ece768a70732 |
| SHA1 | d5502a1d00787d68f548ddeebbde1eca5e2b38ca |
| SHA256 | 8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe |
| SHA512 | 3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da |
C:\Users\Admin\AppData\Roaming\activeds\MKernel.dll
| MD5 | ab9ee0529bab6495e65bf7d25c2476a2 |
| SHA1 | 4438dc373b04cbab0320ccdf3ec5da8fb85f5f4f |
| SHA256 | 4f3e310c5b4fe873a91b19db66e2c1b69a30b4bf7362570d6b1d7d5105a4b0a9 |
| SHA512 | 05f4018f370ac18e32ab2c2642430154b5050948b12f0822024c960ffed94dc65469c22f01d67d0948fc1aa3eea16d3f0b47569275e87aacd934b74e83e2e7b4 |
C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll
| MD5 | 97d6efb8b8e0b0f03701a7bafc398545 |
| SHA1 | 0fe11e0b7f47fdec9aaa98b83728c125409e9d5b |
| SHA256 | 51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e |
| SHA512 | 2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7 |
C:\Users\Admin\AppData\Roaming\activeds\MUtils.dll
| MD5 | 6da9a492898b66db78f5c9d3fc7ecc64 |
| SHA1 | d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4 |
| SHA256 | 50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c |
| SHA512 | 11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e |
C:\Users\Admin\AppData\Roaming\activeds\xprt6.dll
| MD5 | d145903e217ddde20ce32ed9e5074e16 |
| SHA1 | bdb3265d872f446d7445aae4f2d0beba5dae3bd8 |
| SHA256 | 9317971d3615415691420d06b06de89b67aea164877b74e308bb9c338ca0eca4 |
| SHA512 | 00e7df32ab3c8a46b4e8761634ddeac28410f46a9312923f46b1d83376d69489653763661f2c51ac9f85028a11d8496c911eabcb55a19222caf311be61504666 |
C:\Users\Admin\AppData\Roaming\activeds\MCoreLib.dll
| MD5 | 815b07c37c83b13457d37ca8c6a7a561 |
| SHA1 | 746138b85e5611fd058c008411889a15870083cd |
| SHA256 | 153c1b5e96e7bc4c9f858c3cc3bc6cd5e09ef68776d95871ca38824c430654c4 |
| SHA512 | 8949ab1deae036ae785ad20c634519aa368b4768f0dd65c0dc53f8ea70dd7d707c984277b914de14054eb8a044182ff78205e3a02555e377750bb829760b8c31 |
C:\Users\Admin\AppData\Roaming\activeds\MCoreLib.dll
| MD5 | 815b07c37c83b13457d37ca8c6a7a561 |
| SHA1 | 746138b85e5611fd058c008411889a15870083cd |
| SHA256 | 153c1b5e96e7bc4c9f858c3cc3bc6cd5e09ef68776d95871ca38824c430654c4 |
| SHA512 | 8949ab1deae036ae785ad20c634519aa368b4768f0dd65c0dc53f8ea70dd7d707c984277b914de14054eb8a044182ff78205e3a02555e377750bb829760b8c31 |
C:\Users\Admin\AppData\Roaming\activeds\MSVCP71.dll
| MD5 | 561fa2abb31dfa8fab762145f81667c2 |
| SHA1 | c8ccb04eedac821a13fae314a2435192860c72b8 |
| SHA256 | df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b |
| SHA512 | 7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43 |
memory/4832-179-0x00000000738D0000-0x0000000074B24000-memory.dmp
memory/3312-181-0x00000000738D0000-0x0000000074B24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2a9ffaed
| MD5 | f43237a372e23f3fc7784252cb68c107 |
| SHA1 | 8fde67e21a2b8787908b0bf893af3d25231c6285 |
| SHA256 | 850a21100cc6501d17aa57622afaf26621f8a8afb493f3397fe780ae5d7e9e69 |
| SHA512 | 44dd8845317ae1a34cbfad8cdae5ede0fcfc3aa6b93db92e2f9d09a92cc1041b66dc9b845cab5d9b7a4526fae951456f630fe1be40f613ba61d1b0a11136f12c |
memory/3312-183-0x00007FFDDD3F0000-0x00007FFDDD5E5000-memory.dmp
memory/1780-185-0x00007FFDDD3F0000-0x00007FFDDD5E5000-memory.dmp
memory/1780-186-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1780-188-0x0000000000430000-0x0000000000863000-memory.dmp
memory/1780-190-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1780-191-0x0000000000400000-0x0000000000408000-memory.dmp