Malware Analysis Report

2025-08-05 19:55

Sample ID 240518-q1mlaseb7t
Target 550112f9f98e8b7e7ff55b3cbb985c68_JaffaCakes118
SHA256 e444b4058d7ce00244581868383d14b7e159c27b9b65dcc3751fb56a69796d40
Tags
persistence upx blackmoon
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e444b4058d7ce00244581868383d14b7e159c27b9b65dcc3751fb56a69796d40

Threat Level: Known bad

The file 550112f9f98e8b7e7ff55b3cbb985c68_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence upx blackmoon

Blackmoon family

Detect Blackmoon payload

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 13:43

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 13:43

Reported

2024-05-18 13:46

Platform

win7-20231129-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\btsearcher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\???????\\unpacked.exe tray" C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe

"C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 happygolife.com udp
US 67.225.218.22:443 happygolife.com tcp
US 67.225.218.22:443 happygolife.com tcp
US 8.8.8.8:53 ww12.happygolife.com udp
US 75.2.81.221:80 ww12.happygolife.com tcp
US 75.2.81.221:80 ww12.happygolife.com tcp

Files

memory/1960-0-0x0000000000400000-0x000000000055BAED-memory.dmp

C:\Users\Admin\AppData\Roaming\btSearcher\setting.ini

MD5 2ae006985074e066e98832bb643c6714
SHA1 964ab257b7802dcdcf2099209f8125254e504e5c
SHA256 bcd08e12ade691bc6e24faa4540d4519bd2f3a7fc9afaf5cc88b15474469c567
SHA512 d9c48e5760153fcaf44dcb38d57dad76cac2578691c53d14641ffaaf0a225e22dff66a65709419abb1a68a7a56bfecb7ae8eb2fd6d9ad25e16ca7a9bcbb9b61a

memory/1960-32-0x0000000000400000-0x000000000055BAED-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 13:43

Reported

2024-05-18 13:46

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\btsearcher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\???????\\unpacked.exe tray" C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe

"C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 happygolife.com udp
US 67.225.218.22:443 happygolife.com tcp
US 67.225.218.22:443 happygolife.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 22.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 ww12.happygolife.com udp
US 75.2.81.221:80 ww12.happygolife.com tcp
US 75.2.81.221:80 ww12.happygolife.com tcp
US 8.8.8.8:53 221.81.2.75.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3964-0-0x0000000000400000-0x000000000055BAED-memory.dmp

C:\Users\Admin\AppData\Roaming\btSearcher\setting.ini

MD5 2ae006985074e066e98832bb643c6714
SHA1 964ab257b7802dcdcf2099209f8125254e504e5c
SHA256 bcd08e12ade691bc6e24faa4540d4519bd2f3a7fc9afaf5cc88b15474469c567
SHA512 d9c48e5760153fcaf44dcb38d57dad76cac2578691c53d14641ffaaf0a225e22dff66a65709419abb1a68a7a56bfecb7ae8eb2fd6d9ad25e16ca7a9bcbb9b61a

memory/3964-26-0x0000000000400000-0x000000000055BAED-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-18 13:43

Reported

2024-05-18 13:46

Platform

win7-20240419-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\btsearcher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\???????\\unpacked.dll tray" C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\Media\Desktop.ini:dbase.mdb C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe N/A
File opened for modification C:\WINDOWS\Media\Desktop.ini:dbase.mdb C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe N/A
File opened for modification C:\WINDOWS\Media\Desktop.ini:dbase.ldb C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe N/A
File created C:\WINDOWS\Media\ActiveX.ocx C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\WINDOWS\Media\Desktop.ini:dbase.mdb C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe N/A
File opened for modification C:\WINDOWS\Media\Desktop.ini:dbase.mdb C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe N/A
File opened for modification C:\WINDOWS\Media\Desktop.ini:dbase.ldb C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll
PID 2424 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll
PID 2424 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll
PID 2424 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll
PID 2424 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2424 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2424 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2424 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2424 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2424 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2424 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe

"C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe"

C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll

unpacked.dll

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 C:\WINDOWS\Media\ActiveX.ocx /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 happygolife.com udp
US 67.225.218.22:443 happygolife.com tcp
US 67.225.218.22:443 happygolife.com tcp
US 8.8.8.8:53 ww12.happygolife.com udp
US 75.2.81.221:80 ww12.happygolife.com tcp
US 75.2.81.221:80 ww12.happygolife.com tcp

Files

memory/2424-0-0x00000000021E0000-0x000000000233C000-memory.dmp

C:\Users\Admin\AppData\Roaming\btSearcher\setting.ini

MD5 2ae006985074e066e98832bb643c6714
SHA1 964ab257b7802dcdcf2099209f8125254e504e5c
SHA256 bcd08e12ade691bc6e24faa4540d4519bd2f3a7fc9afaf5cc88b15474469c567
SHA512 d9c48e5760153fcaf44dcb38d57dad76cac2578691c53d14641ffaaf0a225e22dff66a65709419abb1a68a7a56bfecb7ae8eb2fd6d9ad25e16ca7a9bcbb9b61a

memory/3036-16-0x0000000000400000-0x000000000055BAED-memory.dmp

C:\WINDOWS\Media\ActiveX.ocx

MD5 a73431462998145c37a7b8da674bc0bb
SHA1 8532ec2289490763fb304a88918bf74fa53dd716
SHA256 12b90653bfe0d052d84ead17226688a5c5ce278f28128d5e36b0096c900dfa95
SHA512 958a8d7b1c85a210010207f39da13f04b7c40d792bd9bf2f4ff27dc3a86ef3b7bc2d44dad1accc13e1bbc94a0a92dbdbcf79e694be04fc7c6b5554bd08a3c7f8

memory/3036-46-0x0000000000400000-0x000000000055BAED-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-18 13:43

Reported

2024-05-18 13:46

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\btsearcher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\???????\\unpacked.dll tray" C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\Media\Desktop.ini:dbase.mdb C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe N/A
File created C:\WINDOWS\Media\ActiveX.ocx C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\WINDOWS\Media\Desktop.ini:dbase.mdb C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll N/A

Processes

C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe

"C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\章鱼搜索破解版.exe"

C:\Users\Admin\AppData\Local\Temp\章鱼搜索破解版\unpacked.dll

unpacked.dll

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 C:\WINDOWS\Media\ActiveX.ocx /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 happygolife.com udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 67.225.218.22:443 happygolife.com tcp
US 67.225.218.22:443 happygolife.com tcp
US 8.8.8.8:53 22.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 ww12.happygolife.com udp
US 75.2.81.221:80 ww12.happygolife.com tcp
US 75.2.81.221:80 ww12.happygolife.com tcp
US 8.8.8.8:53 221.81.2.75.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/4548-0-0x0000000000400000-0x000000000055BAED-memory.dmp

C:\Users\Admin\AppData\Roaming\btSearcher\setting.ini

MD5 2ae006985074e066e98832bb643c6714
SHA1 964ab257b7802dcdcf2099209f8125254e504e5c
SHA256 bcd08e12ade691bc6e24faa4540d4519bd2f3a7fc9afaf5cc88b15474469c567
SHA512 d9c48e5760153fcaf44dcb38d57dad76cac2578691c53d14641ffaaf0a225e22dff66a65709419abb1a68a7a56bfecb7ae8eb2fd6d9ad25e16ca7a9bcbb9b61a

C:\WINDOWS\Media\ActiveX.ocx

MD5 e153e6f751d7b30640cff939cf299a8c
SHA1 d12c43a87b4d46ef1e3a3f8d6a4b645fe4c95dfb
SHA256 a55c223f4deab41e67cc1037efc6c5ef0c28c18e99861360cacbfa24b2ca84f1
SHA512 2bbdbe683f323caad94c4b1252ae284a8a5ee2eaa5768b274757601f31dbf5f5b98c419e8075f6c3f9b8111727d1707da9be29c3e78b85bff5774928a7a93764

memory/4548-29-0x0000000000400000-0x000000000055BAED-memory.dmp