Analysis Overview
SHA256
5de6ecc309b21294697c652312d1625d50c67351f831a3729fe8c674812acd9b
Threat Level: Known bad
The file 112f2eee8508a695eda686e996db0ec7 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 06:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 06:34
Reported
2024-01-01 05:48
Platform
win7-20231215-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Xn52D01G\AdapterTroubleshooter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\w4H4yzx\StikyNot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\kBY9CC\ddodiag.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Xn52D01G\AdapterTroubleshooter.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\w4H4yzx\StikyNot.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\kBY9CC\ddodiag.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\rEqQU6PGeui\\StikyNot.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Xn52D01G\AdapterTroubleshooter.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\w4H4yzx\StikyNot.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\kBY9CC\ddodiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\112f2eee8508a695eda686e996db0ec7.dll,#1
C:\Windows\system32\AdapterTroubleshooter.exe
C:\Windows\system32\AdapterTroubleshooter.exe
C:\Users\Admin\AppData\Local\Xn52D01G\AdapterTroubleshooter.exe
C:\Users\Admin\AppData\Local\Xn52D01G\AdapterTroubleshooter.exe
C:\Windows\system32\StikyNot.exe
C:\Windows\system32\StikyNot.exe
C:\Users\Admin\AppData\Local\w4H4yzx\StikyNot.exe
C:\Users\Admin\AppData\Local\w4H4yzx\StikyNot.exe
C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
C:\Users\Admin\AppData\Local\kBY9CC\ddodiag.exe
C:\Users\Admin\AppData\Local\kBY9CC\ddodiag.exe
Network
Files
memory/1588-0-0x0000000000120000-0x0000000000127000-memory.dmp
memory/1588-1-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-4-0x0000000076DB6000-0x0000000076DB7000-memory.dmp
memory/1240-5-0x00000000025C0000-0x00000000025C1000-memory.dmp
memory/1240-12-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-11-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-10-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-9-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1588-8-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-7-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-13-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-14-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-15-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-17-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-16-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-18-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-19-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-20-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-21-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-22-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-23-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-25-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-24-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-26-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-27-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-29-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-28-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-31-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-30-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-32-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-34-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-35-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-33-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-37-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-36-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-44-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-43-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-42-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-41-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-40-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-39-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-38-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-46-0x00000000021E0000-0x00000000021E7000-memory.dmp
memory/1240-45-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-53-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-54-0x0000000076EC1000-0x0000000076EC2000-memory.dmp
memory/1240-55-0x0000000077020000-0x0000000077022000-memory.dmp
memory/1240-64-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-68-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-69-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1240-73-0x0000000140000000-0x00000001401FE000-memory.dmp
\Users\Admin\AppData\Local\Xn52D01G\AdapterTroubleshooter.exe
| MD5 | d4170c9ff5b2f85b0ce0246033d26919 |
| SHA1 | a76118e8775e16237cf00f2fb79718be0dc84db1 |
| SHA256 | d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da |
| SHA512 | 9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608 |
C:\Users\Admin\AppData\Local\Xn52D01G\d3d9.dll
| MD5 | 5ebc83beb94631c756eff7d55efe1914 |
| SHA1 | d7185f2d4fcd8fa83b238db9ed98cf2a8965fe86 |
| SHA256 | ef70ce0fe4c09b0f2a0a823d061e049d710df849bbe10703226cf1ce21cc356b |
| SHA512 | 4005d6b9e79de0b81b495bfaa1000b4b82ec15dd1a7c70c3c46620f9c111a0bbf681b8a376feb4c4c0a42fbc30ab867d814965e1c15cd5262540c83e3a6225e2 |
memory/468-82-0x0000000140000000-0x00000001401FF000-memory.dmp
memory/468-85-0x0000000000110000-0x0000000000117000-memory.dmp
\Users\Admin\AppData\Local\w4H4yzx\StikyNot.exe
| MD5 | b22cb67919ebad88b0e8bb9cda446010 |
| SHA1 | 423a794d26d96d9f812d76d75fa89bffdc07d468 |
| SHA256 | 2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128 |
| SHA512 | f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5 |
C:\Users\Admin\AppData\Local\w4H4yzx\DUI70.dll
| MD5 | 8236823c82716e5b17ac3fa8b2ce4eab |
| SHA1 | afa84568ad0e0ca40079aada1d8f94c7d286609e |
| SHA256 | fa02eb0c325d38708f5213dbd061943366d9e0d9d51d4619fe4e2ae5eee42d74 |
| SHA512 | 5b13aaa7d3d6bb1c0dafdcb08dc7b928ceda44d9414602a428c560d4465436820382321b35f3734e38fa9fbc8088320a7c05b69a113232d91dfa1a429a4c41f3 |
memory/2200-102-0x0000000000090000-0x0000000000097000-memory.dmp
\Users\Admin\AppData\Local\kBY9CC\ddodiag.exe
| MD5 | 509f9513ca16ba2f2047f5227a05d1a8 |
| SHA1 | fe8d63259cb9afa17da7b7b8ede4e75081071b1a |
| SHA256 | ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e |
| SHA512 | ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862 |
C:\Users\Admin\AppData\Local\kBY9CC\XmlLite.dll
| MD5 | 2c49173476595b4dc2ba05a8fd5b6fb5 |
| SHA1 | 6704424ace4f63f9a10f8a64f1491140889920d8 |
| SHA256 | afa6986c63fa4517483bc4c6767deff3a43d7424009aa97670bf06ae3da42d2c |
| SHA512 | 39366e065de12e863fe21b866235e4b45ea27f5cb640cb74ae7247052910426f654bc294f07240297409a8f8b98f7d390293e7a0b5ee5d0491d35dad3d6a7a9e |
memory/2472-118-0x0000000000220000-0x0000000000227000-memory.dmp
memory/1240-144-0x0000000076DB6000-0x0000000076DB7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk
| MD5 | ebec7d88f0fa5a1f35f5a74522370e61 |
| SHA1 | a6c6ee265a9e68d22fb35a133421e8ef8ca365fe |
| SHA256 | b5a123b0b6f28266f43c853d2164427b0228b0ef6e930124a0ddb0c2727f923e |
| SHA512 | 413c6d5d9988e2ea82c0370f2093e922b43129bf1e101ed448042b41ec17e1858032fb1885e29650b5041b1b676e5436f64eb9674ccbf33f165edff223cbdfa8 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 06:34
Reported
2024-01-01 05:48
Platform
win10v2004-20231215-en
Max time kernel
84s
Max time network
158s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Hkq\ddodiag.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Hkq\ddodiag.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\FN\\GamePanel.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Hkq\ddodiag.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3456 wrote to memory of 1236 | N/A | N/A | C:\Windows\system32\ApplicationFrameHost.exe |
| PID 3456 wrote to memory of 1236 | N/A | N/A | C:\Windows\system32\ApplicationFrameHost.exe |
| PID 3456 wrote to memory of 2412 | N/A | N/A | C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe |
| PID 3456 wrote to memory of 2412 | N/A | N/A | C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe |
| PID 3456 wrote to memory of 4936 | N/A | N/A | C:\Windows\system32\GamePanel.exe |
| PID 3456 wrote to memory of 4936 | N/A | N/A | C:\Windows\system32\GamePanel.exe |
| PID 3456 wrote to memory of 4800 | N/A | N/A | C:\Windows\system32\backgroundTaskHost.exe |
| PID 3456 wrote to memory of 4800 | N/A | N/A | C:\Windows\system32\backgroundTaskHost.exe |
| PID 3456 wrote to memory of 4588 | N/A | N/A | C:\Windows\system32\ddodiag.exe |
| PID 3456 wrote to memory of 4588 | N/A | N/A | C:\Windows\system32\ddodiag.exe |
| PID 3456 wrote to memory of 4444 | N/A | N/A | C:\Users\Admin\AppData\Local\Hkq\ddodiag.exe |
| PID 3456 wrote to memory of 4444 | N/A | N/A | C:\Users\Admin\AppData\Local\Hkq\ddodiag.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\112f2eee8508a695eda686e996db0ec7.dll,#1
C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe
C:\Windows\system32\GamePanel.exe
C:\Windows\system32\GamePanel.exe
C:\Users\Admin\AppData\Local\BIEc4\GamePanel.exe
C:\Users\Admin\AppData\Local\BIEc4\GamePanel.exe
C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
C:\Users\Admin\AppData\Local\Hkq\ddodiag.exe
C:\Users\Admin\AppData\Local\Hkq\ddodiag.exe
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/4576-1-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/4576-0-0x00000283E2180000-0x00000283E2187000-memory.dmp
memory/3456-5-0x00007FF92E74A000-0x00007FF92E74B000-memory.dmp
memory/3456-4-0x0000000002910000-0x0000000002911000-memory.dmp
memory/4576-8-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-7-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-9-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-10-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-11-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-12-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-13-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-14-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-15-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-16-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-17-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-18-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-19-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-20-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-21-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-22-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-23-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-25-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-29-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-31-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-32-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-33-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-34-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-30-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-36-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-35-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-37-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-38-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-28-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-39-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-40-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-41-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-27-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-26-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-24-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-42-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-44-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-46-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-45-0x00000000026D0000-0x00000000026D7000-memory.dmp
memory/3456-43-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-53-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-54-0x00007FF92FEA0000-0x00007FF92FEB0000-memory.dmp
memory/3456-63-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3456-65-0x0000000140000000-0x00000001401FE000-memory.dmp
C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe
| MD5 | d58a8a987a8dafad9dc32a548cc061e7 |
| SHA1 | f79fc9e0ab066cad530b949c2153c532a5223156 |
| SHA256 | cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4 |
| SHA512 | 93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265 |
C:\Users\Admin\AppData\Local\ZzO\dxgi.dll
| MD5 | e679615e49231f415738436603cf794d |
| SHA1 | 9f77ef24b216d1a1297f4839dceb182c5af5f009 |
| SHA256 | 437898630d55c80bc5ac12256899f3b97dded547e076682c9bd0c5b0cb3539e5 |
| SHA512 | c2d03d902a1d71027297c5f461c89157ddb03a75898a07c76b8c8c712f7928c8db52dde94de7c07de95b0f11dcbf2484909276c130a450b147cf3633106248d9 |
memory/2412-75-0x0000000140000000-0x00000001401FF000-memory.dmp
memory/2412-80-0x0000000140000000-0x00000001401FF000-memory.dmp
memory/2412-74-0x000001E062520000-0x000001E062527000-memory.dmp
C:\Users\Admin\AppData\Local\ZzO\dxgi.dll
| MD5 | bf78a4c45dc664e7c4fa5f8652166480 |
| SHA1 | 739c1865a11235c9e6ec8affe7160dc18dd7d25e |
| SHA256 | fa360ccef5d668c2a019f2271806d80e2c52101d2696ae85dc78659519c78a0f |
| SHA512 | 5e52d1432272cffcbf409d9d74ac1820dbf0b7d49697bc5d0006b249265a1a8f1d2f840cc806e17c86f538d34ea329ce1658c812d90efec2f38c76ab5ab0396d |
C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe
| MD5 | cec2396a6eb4cf4d1479acb056799edf |
| SHA1 | 24bfb311408282aa296c7b4d977a295eb7f9120b |
| SHA256 | 6932acd1a0be81148447dcec6fcf03105ebe91232e76d7dbd0977c747fd0101f |
| SHA512 | 02acb2076c871a6385e59d6c442fbac95fbd3f76fdb9ffe5e38a26718a3e716815caeea8f6d337d6889d21fad98ab61dafcf054f4183da5b0b591d5cd517e6d6 |
C:\Users\Admin\AppData\Local\BIEc4\dwmapi.dll
| MD5 | 146c52d74f722e3d65f184e2e7ce9744 |
| SHA1 | 099da19869e617cb306bceadb64c3b4eac664542 |
| SHA256 | 77e39601e54bfbf749ef2c0b147f28b038c81af00eba0a7d9bc002171e997030 |
| SHA512 | 3feb4b306ce212a085e91fb89c0f45599979a8583ffa73bf3f31ecfb3a21499c658b05570db4ca50321c696de70ea12a1496d5c0c63eaa2786ae81f788c126d1 |
memory/4800-91-0x000001D72E810000-0x000001D72E817000-memory.dmp
C:\Users\Admin\AppData\Local\BIEc4\dwmapi.dll
| MD5 | fed8950646aa54c8f5de08385042fcd5 |
| SHA1 | 540b439950d22af20ab0b9c4a453d3b176db3fd7 |
| SHA256 | d595cc0a4559ce6aea22a6077ee107496ceb9c5cdcc66e75c912cef7bc70b8f4 |
| SHA512 | 3a77cd295fadb3ddc4cde80e9dc56b4972235b31bf615272c3ff48b59008470823b4f18d98468982d91af07a1f693cf9d7bd6f5328fa61573b7997002e7789b6 |
memory/4800-97-0x0000000140000000-0x00000001401FF000-memory.dmp
C:\Users\Admin\AppData\Local\BIEc4\GamePanel.exe
| MD5 | 15950a043e5f662d1c7d370986dd1862 |
| SHA1 | caf15d3411459c27e23ce6badb81cfea85d43e7b |
| SHA256 | 9f9cace76a3a858d2ab8ddb81eb9ba13b2b06c096a16dc205f8848e6659bbb7f |
| SHA512 | a80efad05321747aef7003375a86443bc653309fba7bc1caabd41c6a9949ec345d0123e965a0df89a95ec0d85504e3830c3eaac352c519308d049a6e15115e62 |
C:\Users\Admin\AppData\Local\BIEc4\GamePanel.exe
| MD5 | 5f04c95bd42525180653170f780636a7 |
| SHA1 | 56eab14e43cfddf0e7f76959305f58dbfb541909 |
| SHA256 | 1603f5dd468800ff7ecbc14dd9681bc269bbd36d33bd8e28ed31ff14c71f0320 |
| SHA512 | df718b67f791416dbe9f58e68d016755494e8cd5672346dd78e5afb89c92df83d5269c922f9c5ed00e4c9d453b7fe909f549511c339bab1c9e0e38eb2047c047 |
C:\Users\Admin\AppData\Local\Hkq\XmlLite.dll
| MD5 | 0bcb5de30854dc3f4c4164057daa52de |
| SHA1 | 03e93c8cc859dece60c74273ddf26e18fcdfac13 |
| SHA256 | 32601dcf312378e93c6ce39966bab91af07ca44d46ee05f3bea15b806d56646c |
| SHA512 | 563e0838918a00515f48f8ced9ed2c58b6a3071e1a8ba8a1a7aff8ed29928c93f2b9dba7637f097409b5918704a342f5cf8c390b806e900d063090bff2226cc4 |
C:\Users\Admin\AppData\Local\Hkq\ddodiag.exe
| MD5 | 85feee634a6aee90f0108e26d3d9bc1f |
| SHA1 | a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2 |
| SHA256 | 99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6 |
| SHA512 | b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff |
C:\Users\Admin\AppData\Local\Hkq\XmlLite.dll
| MD5 | 2cf31b577a861187421f8cb60c26708f |
| SHA1 | 21411b2362978e35b935e96fdf5527078d86b2c1 |
| SHA256 | 11f7fcf5aef3a03b8b6b1af1ddeb2d8e6740da8a40e9bb40280f12ee527381da |
| SHA512 | 8f7b21dc4a3dbf5cfe849030efa29894ce5e093e2cca2f3addafbc798182d4aaa78636e2d2492cc34b4fba7e7fe7f391b86656b7709a55d9bede1efccb20e656 |
memory/4444-109-0x0000022A63920000-0x0000022A63927000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk
| MD5 | 7424236d56761be37a496c9654ca7d8d |
| SHA1 | 457c92fb33f522cb6eac355e2c6397e0ed9912e0 |
| SHA256 | 409741675404e0f5cccc1ae5c6d3894d5da0f4c61b04971c3f5aff0d68171ffc |
| SHA512 | 81776ae8f82d404f8f8f908d95aa3dd1d543821452df85572eb7707f6845a36b0955a0a6790358a4b90e57fdbda4e8905a4f5fc8c618cc8c29525755259cf5bb |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-635608581-3370340891-292606865-1000\xZvk\dxgi.dll
| MD5 | 0ab7fb73056dc23d8d091bb2d586bf3a |
| SHA1 | c19625f5c16064b5bc1ae00b0f4531b540e3a874 |
| SHA256 | 3262ab9026ab1c909fabaf7bca2aee46f93f16f66b2329e49a3fb6619a9ec5a4 |
| SHA512 | 72ae3ea8cf8b4e0d712122f0749df32351f41495ea59341554f30b9940fffad989db1465d40e3bac9a4a9193e5451e7f7a01c3ab212652efce9216cd2ce38b5b |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\FN\dwmapi.dll
| MD5 | a2deba4d0c18fb08493e6360cba3be76 |
| SHA1 | 908196cb52b74e879d25c36b352197241cf3e0dc |
| SHA256 | c9f8b5699c7e82243e4aea8d4cebed26299c576a50c350f57f7add45378f2f17 |
| SHA512 | 7cafbe33594095066336c41a967131e552195ddabe1c6aa9dd8324a8c1e18f4b9880b33462d926b480fbb8b36a53945d646e96d88fe27a76408ac1dd30374954 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\6HZcJQlXox\XmlLite.dll
| MD5 | 17356b84c8471a6755ea225804f7ed18 |
| SHA1 | 09cffb4fbdbd1125155716123d10b69b9af9ec18 |
| SHA256 | 880cc88cde35180d34d1dd544e2716b08a256b447bb0d9fc963411badb18b1c6 |
| SHA512 | 7d1aa97b9d914b08d53eeca25cc4e694dd0f9ba66d1b5bd94fc842da5a9827f025b3d27cf6c1585776ad4f6000fe0ac835d1f7e191c795fe367eeacc30fbcd73 |