Malware Analysis Report

2024-11-30 23:33

Sample ID 230919-aseygsdf4t
Target 82cf051811579ee4f1d9978af52f12db
SHA256 2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb
Tags
systembc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb

Threat Level: Known bad

The file 82cf051811579ee4f1d9978af52f12db was found to be: Known bad.

Malicious Activity Summary

systembc trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

SystemBC

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-19 00:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-19 00:28

Reported

2023-09-19 00:30

Platform

win7-20230831-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\82cf051811579ee4f1d9978af52f12db.exe"

Signatures

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\82cf051811579ee4f1d9978af52f12db.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\82cf051811579ee4f1d9978af52f12db.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\82cf051811579ee4f1d9978af52f12db.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\82cf051811579ee4f1d9978af52f12db.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\82cf051811579ee4f1d9978af52f12db.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\82cf051811579ee4f1d9978af52f12db.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\82cf051811579ee4f1d9978af52f12db.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\82cf051811579ee4f1d9978af52f12db.exe

"C:\Users\Admin\AppData\Local\Temp\82cf051811579ee4f1d9978af52f12db.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 doi.org udp
US 104.26.8.237:443 doi.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.141:80 apps.identrust.com tcp
US 8.8.8.8:53 www.doi.org udp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 18.239.69.37:443 www.doi.org tcp
US 8.8.8.8:53 www.doi.org udp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 18.239.69.89:443 www.doi.org tcp
US 8.8.8.8:53 www.doi.org udp
US 18.239.69.59:443 www.doi.org tcp
US 18.239.69.59:443 www.doi.org tcp
US 18.239.69.59:443 www.doi.org tcp
US 18.239.69.59:443 www.doi.org tcp
US 18.239.69.59:443 www.doi.org tcp
US 18.239.69.59:443 www.doi.org tcp
US 18.239.69.59:443 www.doi.org tcp
US 18.239.69.59:443 www.doi.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab392C.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar39DA.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65893dd0a62350343f1f56ae2e10188e
SHA1 cfc53fa50c376949202295ab11561832da6cc837
SHA256 4381b7ab49af9dd6245da492fb2421a7a081e9236305dddffd6f1a7814bb1b30
SHA512 1a6f49a67670d6452bb3d1561d671290f71a2be016b1a43b989be75f0c68248460e6af216e807457b7d1ff0c1a16a8d2de932af46975c3db137eb599821e94aa

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-19 00:28

Reported

2023-09-19 00:30

Platform

win10v2004-20230915-en

Max time kernel

144s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4680 created 3188 N/A C:\Users\Admin\AppData\Local\Temp\82cf051811579ee4f1d9978af52f12db.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4004 set thread context of 1048 N/A C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\82cf051811579ee4f1d9978af52f12db.exe

"C:\Users\Admin\AppData\Local\Temp\82cf051811579ee4f1d9978af52f12db.exe"

C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe

"C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 doi.org udp
US 172.67.72.147:443 doi.org tcp
US 8.8.8.8:53 www.doi.org udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 147.72.67.172.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 18.239.69.37:443 www.doi.org tcp
US 8.8.8.8:53 i.imgur.com udp
NL 199.232.148.193:443 i.imgur.com tcp
US 8.8.8.8:53 37.69.239.18.in-addr.arpa udp
US 8.8.8.8:53 193.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

memory/4680-1-0x00000000742C0000-0x0000000074551000-memory.dmp

C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe

MD5 aef6452711538d9021f929a2a5f633cf
SHA1 205b7fab75e77d1ff123991489462d39128e03f6
SHA256 e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac
SHA512 7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7

C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe

MD5 aef6452711538d9021f929a2a5f633cf
SHA1 205b7fab75e77d1ff123991489462d39128e03f6
SHA256 e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac
SHA512 7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7

C:\Users\Admin\AppData\Roaming\activeds\MKernel.dll

MD5 ab9ee0529bab6495e65bf7d25c2476a2
SHA1 4438dc373b04cbab0320ccdf3ec5da8fb85f5f4f
SHA256 4f3e310c5b4fe873a91b19db66e2c1b69a30b4bf7362570d6b1d7d5105a4b0a9
SHA512 05f4018f370ac18e32ab2c2642430154b5050948b12f0822024c960ffed94dc65469c22f01d67d0948fc1aa3eea16d3f0b47569275e87aacd934b74e83e2e7b4

C:\Users\Admin\AppData\Roaming\activeds\xprt6.dll

MD5 d145903e217ddde20ce32ed9e5074e16
SHA1 bdb3265d872f446d7445aae4f2d0beba5dae3bd8
SHA256 9317971d3615415691420d06b06de89b67aea164877b74e308bb9c338ca0eca4
SHA512 00e7df32ab3c8a46b4e8761634ddeac28410f46a9312923f46b1d83376d69489653763661f2c51ac9f85028a11d8496c911eabcb55a19222caf311be61504666

C:\Users\Admin\AppData\Roaming\activeds\MSVCP71.dll

MD5 561fa2abb31dfa8fab762145f81667c2
SHA1 c8ccb04eedac821a13fae314a2435192860c72b8
SHA256 df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b
SHA512 7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

C:\Users\Admin\AppData\Roaming\activeds\MKernel.dll

MD5 ab9ee0529bab6495e65bf7d25c2476a2
SHA1 4438dc373b04cbab0320ccdf3ec5da8fb85f5f4f
SHA256 4f3e310c5b4fe873a91b19db66e2c1b69a30b4bf7362570d6b1d7d5105a4b0a9
SHA512 05f4018f370ac18e32ab2c2642430154b5050948b12f0822024c960ffed94dc65469c22f01d67d0948fc1aa3eea16d3f0b47569275e87aacd934b74e83e2e7b4

C:\Users\Admin\AppData\Roaming\activeds\MCoreLib.dll

MD5 815b07c37c83b13457d37ca8c6a7a561
SHA1 746138b85e5611fd058c008411889a15870083cd
SHA256 153c1b5e96e7bc4c9f858c3cc3bc6cd5e09ef68776d95871ca38824c430654c4
SHA512 8949ab1deae036ae785ad20c634519aa368b4768f0dd65c0dc53f8ea70dd7d707c984277b914de14054eb8a044182ff78205e3a02555e377750bb829760b8c31

C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll

MD5 97d6efb8b8e0b0f03701a7bafc398545
SHA1 0fe11e0b7f47fdec9aaa98b83728c125409e9d5b
SHA256 51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e
SHA512 2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7

C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll

MD5 60a5383ba17d8f519cb4356e28873a14
SHA1 6bf70393d957320a921226c7fcdf352a0a67442d
SHA256 80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f
SHA512 a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12

C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll

MD5 60a5383ba17d8f519cb4356e28873a14
SHA1 6bf70393d957320a921226c7fcdf352a0a67442d
SHA256 80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f
SHA512 a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12

C:\Users\Admin\AppData\Roaming\activeds\MDb.dll

MD5 be1262b27ff4a4349b337cc95b7746e7
SHA1 a88b9a167baedbaef047b862caecb8206548c2f6
SHA256 ab47f3a52c1c2a7f1855c48e2d085e87345590b1fb78353c7070c3b6600843fd
SHA512 d70a9f1113b2b11ff5df3644b97d13cfe1deee1def13e751eabd8e84858e4ae6eb58d45926a1443cafbb7a261bcb61285b4c316014b43c6c6971f7261e13bb96

memory/4004-41-0x0000000000A00000-0x0000000000A63000-memory.dmp

memory/4004-44-0x0000000000A70000-0x0000000000B41000-memory.dmp

C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll

MD5 60a5383ba17d8f519cb4356e28873a14
SHA1 6bf70393d957320a921226c7fcdf352a0a67442d
SHA256 80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f
SHA512 a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12

C:\Users\Admin\AppData\Roaming\activeds\shallop.wmv

MD5 983058d5482f9477c6b4fe17faef85db
SHA1 00d43c0588c8c88c9076b911d65d94d0b0913b69
SHA256 d3b79dee1b597a1901e7c7721b8019b79e555495d234056a85bbf0d7b1fc83a2
SHA512 d8a5589c890faf88dfac93c3f1d4818a6d20db5bd7830366c49247ec20426605c4c4b868eca4e0729a01f56dce3c87bfbe379d2c50f9bf5ffef3afcc50f8163a

C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll

MD5 97d6efb8b8e0b0f03701a7bafc398545
SHA1 0fe11e0b7f47fdec9aaa98b83728c125409e9d5b
SHA256 51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e
SHA512 2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7

C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll

MD5 4f27d1bacaf09d1919484355b341c868
SHA1 f1be78d484235270a1416c6acb20e2915ae050db
SHA256 12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450
SHA512 328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced

C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll

MD5 4f27d1bacaf09d1919484355b341c868
SHA1 f1be78d484235270a1416c6acb20e2915ae050db
SHA256 12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450
SHA512 328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced

C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll

MD5 4f27d1bacaf09d1919484355b341c868
SHA1 f1be78d484235270a1416c6acb20e2915ae050db
SHA256 12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450
SHA512 328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced

C:\Users\Admin\AppData\Roaming\activeds\msvcr71.dll

MD5 86f1895ae8c5e8b17d99ece768a70732
SHA1 d5502a1d00787d68f548ddeebbde1eca5e2b38ca
SHA256 8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe
SHA512 3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

memory/4004-47-0x00000000739E0000-0x0000000074C34000-memory.dmp

C:\Users\Admin\AppData\Roaming\activeds\MDb.dll

MD5 be1262b27ff4a4349b337cc95b7746e7
SHA1 a88b9a167baedbaef047b862caecb8206548c2f6
SHA256 ab47f3a52c1c2a7f1855c48e2d085e87345590b1fb78353c7070c3b6600843fd
SHA512 d70a9f1113b2b11ff5df3644b97d13cfe1deee1def13e751eabd8e84858e4ae6eb58d45926a1443cafbb7a261bcb61285b4c316014b43c6c6971f7261e13bb96

C:\Users\Admin\AppData\Roaming\activeds\msvcr71.dll

MD5 86f1895ae8c5e8b17d99ece768a70732
SHA1 d5502a1d00787d68f548ddeebbde1eca5e2b38ca
SHA256 8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe
SHA512 3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

C:\Users\Admin\AppData\Roaming\activeds\MUtils.dll

MD5 6da9a492898b66db78f5c9d3fc7ecc64
SHA1 d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4
SHA256 50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c
SHA512 11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e

C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll

MD5 97d6efb8b8e0b0f03701a7bafc398545
SHA1 0fe11e0b7f47fdec9aaa98b83728c125409e9d5b
SHA256 51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e
SHA512 2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7

C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll

MD5 4f27d1bacaf09d1919484355b341c868
SHA1 f1be78d484235270a1416c6acb20e2915ae050db
SHA256 12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450
SHA512 328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced

C:\Users\Admin\AppData\Roaming\activeds\xprt6.dll

MD5 d145903e217ddde20ce32ed9e5074e16
SHA1 bdb3265d872f446d7445aae4f2d0beba5dae3bd8
SHA256 9317971d3615415691420d06b06de89b67aea164877b74e308bb9c338ca0eca4
SHA512 00e7df32ab3c8a46b4e8761634ddeac28410f46a9312923f46b1d83376d69489653763661f2c51ac9f85028a11d8496c911eabcb55a19222caf311be61504666

C:\Users\Admin\AppData\Roaming\activeds\msvcp71.dll

MD5 561fa2abb31dfa8fab762145f81667c2
SHA1 c8ccb04eedac821a13fae314a2435192860c72b8
SHA256 df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b
SHA512 7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

C:\Users\Admin\AppData\Roaming\activeds\MSVCR71.dll

MD5 86f1895ae8c5e8b17d99ece768a70732
SHA1 d5502a1d00787d68f548ddeebbde1eca5e2b38ca
SHA256 8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe
SHA512 3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

C:\Users\Admin\AppData\Roaming\activeds\MUtils.dll

MD5 6da9a492898b66db78f5c9d3fc7ecc64
SHA1 d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4
SHA256 50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c
SHA512 11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e

C:\Users\Admin\AppData\Roaming\activeds\MCoreLib.dll

MD5 815b07c37c83b13457d37ca8c6a7a561
SHA1 746138b85e5611fd058c008411889a15870083cd
SHA256 153c1b5e96e7bc4c9f858c3cc3bc6cd5e09ef68776d95871ca38824c430654c4
SHA512 8949ab1deae036ae785ad20c634519aa368b4768f0dd65c0dc53f8ea70dd7d707c984277b914de14054eb8a044182ff78205e3a02555e377750bb829760b8c31

memory/1048-49-0x00000000739E0000-0x0000000074C34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\177cc9b9

MD5 9d0cafebbeade7e4521820df518fd5e7
SHA1 65a8390ebdca1fa884983c1b7a5ec8990032c1e9
SHA256 963731b9ca2ea6bc26bce33055dc2d05e86bd4afeb1704b6e350e79c3effcb44
SHA512 b3b9812dff93821b7c8f85b6bf2788752333731b1da8b15ae6cd5d4a1ffbca9091387fdbc6500850fa1afa5f34726c6a72a68cfd877a86cfd2ac746c4105aa8b

memory/1048-51-0x00007FFA14B30000-0x00007FFA14D25000-memory.dmp

memory/4932-53-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4932-54-0x00007FFA14B30000-0x00007FFA14D25000-memory.dmp

memory/4932-55-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4932-56-0x0000000000D30000-0x0000000001163000-memory.dmp

memory/4932-57-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4932-58-0x0000000000400000-0x0000000000408000-memory.dmp