Malware Analysis Report

2024-11-30 21:11

Sample ID 231230-hb14dsfeb5
Target 112f2eee8508a695eda686e996db0ec7
SHA256 5de6ecc309b21294697c652312d1625d50c67351f831a3729fe8c674812acd9b
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5de6ecc309b21294697c652312d1625d50c67351f831a3729fe8c674812acd9b

Threat Level: Known bad

The file 112f2eee8508a695eda686e996db0ec7 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 06:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 06:34

Reported

2024-01-01 05:48

Platform

win7-20231215-en

Max time kernel

150s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\112f2eee8508a695eda686e996db0ec7.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Xn52D01G\AdapterTroubleshooter.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\w4H4yzx\StikyNot.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\kBY9CC\ddodiag.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\rEqQU6PGeui\\StikyNot.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Xn52D01G\AdapterTroubleshooter.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\w4H4yzx\StikyNot.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\kBY9CC\ddodiag.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 524 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1240 wrote to memory of 524 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1240 wrote to memory of 524 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1240 wrote to memory of 468 N/A N/A C:\Users\Admin\AppData\Local\Xn52D01G\AdapterTroubleshooter.exe
PID 1240 wrote to memory of 468 N/A N/A C:\Users\Admin\AppData\Local\Xn52D01G\AdapterTroubleshooter.exe
PID 1240 wrote to memory of 468 N/A N/A C:\Users\Admin\AppData\Local\Xn52D01G\AdapterTroubleshooter.exe
PID 1240 wrote to memory of 1324 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1240 wrote to memory of 1324 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1240 wrote to memory of 1324 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1240 wrote to memory of 2200 N/A N/A C:\Users\Admin\AppData\Local\w4H4yzx\StikyNot.exe
PID 1240 wrote to memory of 2200 N/A N/A C:\Users\Admin\AppData\Local\w4H4yzx\StikyNot.exe
PID 1240 wrote to memory of 2200 N/A N/A C:\Users\Admin\AppData\Local\w4H4yzx\StikyNot.exe
PID 1240 wrote to memory of 2036 N/A N/A C:\Windows\system32\ddodiag.exe
PID 1240 wrote to memory of 2036 N/A N/A C:\Windows\system32\ddodiag.exe
PID 1240 wrote to memory of 2036 N/A N/A C:\Windows\system32\ddodiag.exe
PID 1240 wrote to memory of 2472 N/A N/A C:\Users\Admin\AppData\Local\kBY9CC\ddodiag.exe
PID 1240 wrote to memory of 2472 N/A N/A C:\Users\Admin\AppData\Local\kBY9CC\ddodiag.exe
PID 1240 wrote to memory of 2472 N/A N/A C:\Users\Admin\AppData\Local\kBY9CC\ddodiag.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\112f2eee8508a695eda686e996db0ec7.dll,#1

C:\Windows\system32\AdapterTroubleshooter.exe

C:\Windows\system32\AdapterTroubleshooter.exe

C:\Users\Admin\AppData\Local\Xn52D01G\AdapterTroubleshooter.exe

C:\Users\Admin\AppData\Local\Xn52D01G\AdapterTroubleshooter.exe

C:\Windows\system32\StikyNot.exe

C:\Windows\system32\StikyNot.exe

C:\Users\Admin\AppData\Local\w4H4yzx\StikyNot.exe

C:\Users\Admin\AppData\Local\w4H4yzx\StikyNot.exe

C:\Windows\system32\ddodiag.exe

C:\Windows\system32\ddodiag.exe

C:\Users\Admin\AppData\Local\kBY9CC\ddodiag.exe

C:\Users\Admin\AppData\Local\kBY9CC\ddodiag.exe

Network

N/A

Files

memory/1588-0-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1588-1-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-4-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

memory/1240-5-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/1240-12-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-11-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-10-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-9-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1588-8-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-7-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-13-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-14-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-15-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-17-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-16-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-18-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-19-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-20-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-21-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-22-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-23-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-25-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-24-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-26-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-27-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-29-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-28-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-31-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-30-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-32-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-34-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-35-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-33-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-37-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-36-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-44-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-43-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-42-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-41-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-40-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-39-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-38-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-46-0x00000000021E0000-0x00000000021E7000-memory.dmp

memory/1240-45-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-53-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-54-0x0000000076EC1000-0x0000000076EC2000-memory.dmp

memory/1240-55-0x0000000077020000-0x0000000077022000-memory.dmp

memory/1240-64-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-68-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-69-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1240-73-0x0000000140000000-0x00000001401FE000-memory.dmp

\Users\Admin\AppData\Local\Xn52D01G\AdapterTroubleshooter.exe

MD5 d4170c9ff5b2f85b0ce0246033d26919
SHA1 a76118e8775e16237cf00f2fb79718be0dc84db1
SHA256 d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da
SHA512 9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

C:\Users\Admin\AppData\Local\Xn52D01G\d3d9.dll

MD5 5ebc83beb94631c756eff7d55efe1914
SHA1 d7185f2d4fcd8fa83b238db9ed98cf2a8965fe86
SHA256 ef70ce0fe4c09b0f2a0a823d061e049d710df849bbe10703226cf1ce21cc356b
SHA512 4005d6b9e79de0b81b495bfaa1000b4b82ec15dd1a7c70c3c46620f9c111a0bbf681b8a376feb4c4c0a42fbc30ab867d814965e1c15cd5262540c83e3a6225e2

memory/468-82-0x0000000140000000-0x00000001401FF000-memory.dmp

memory/468-85-0x0000000000110000-0x0000000000117000-memory.dmp

\Users\Admin\AppData\Local\w4H4yzx\StikyNot.exe

MD5 b22cb67919ebad88b0e8bb9cda446010
SHA1 423a794d26d96d9f812d76d75fa89bffdc07d468
SHA256 2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128
SHA512 f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

C:\Users\Admin\AppData\Local\w4H4yzx\DUI70.dll

MD5 8236823c82716e5b17ac3fa8b2ce4eab
SHA1 afa84568ad0e0ca40079aada1d8f94c7d286609e
SHA256 fa02eb0c325d38708f5213dbd061943366d9e0d9d51d4619fe4e2ae5eee42d74
SHA512 5b13aaa7d3d6bb1c0dafdcb08dc7b928ceda44d9414602a428c560d4465436820382321b35f3734e38fa9fbc8088320a7c05b69a113232d91dfa1a429a4c41f3

memory/2200-102-0x0000000000090000-0x0000000000097000-memory.dmp

\Users\Admin\AppData\Local\kBY9CC\ddodiag.exe

MD5 509f9513ca16ba2f2047f5227a05d1a8
SHA1 fe8d63259cb9afa17da7b7b8ede4e75081071b1a
SHA256 ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e
SHA512 ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

C:\Users\Admin\AppData\Local\kBY9CC\XmlLite.dll

MD5 2c49173476595b4dc2ba05a8fd5b6fb5
SHA1 6704424ace4f63f9a10f8a64f1491140889920d8
SHA256 afa6986c63fa4517483bc4c6767deff3a43d7424009aa97670bf06ae3da42d2c
SHA512 39366e065de12e863fe21b866235e4b45ea27f5cb640cb74ae7247052910426f654bc294f07240297409a8f8b98f7d390293e7a0b5ee5d0491d35dad3d6a7a9e

memory/2472-118-0x0000000000220000-0x0000000000227000-memory.dmp

memory/1240-144-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 ebec7d88f0fa5a1f35f5a74522370e61
SHA1 a6c6ee265a9e68d22fb35a133421e8ef8ca365fe
SHA256 b5a123b0b6f28266f43c853d2164427b0228b0ef6e930124a0ddb0c2727f923e
SHA512 413c6d5d9988e2ea82c0370f2093e922b43129bf1e101ed448042b41ec17e1858032fb1885e29650b5041b1b676e5436f64eb9674ccbf33f165edff223cbdfa8

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 06:34

Reported

2024-01-01 05:48

Platform

win10v2004-20231215-en

Max time kernel

84s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\112f2eee8508a695eda686e996db0ec7.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\FN\\GamePanel.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Hkq\ddodiag.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3456 wrote to memory of 1236 N/A N/A C:\Windows\system32\ApplicationFrameHost.exe
PID 3456 wrote to memory of 1236 N/A N/A C:\Windows\system32\ApplicationFrameHost.exe
PID 3456 wrote to memory of 2412 N/A N/A C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe
PID 3456 wrote to memory of 2412 N/A N/A C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe
PID 3456 wrote to memory of 4936 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3456 wrote to memory of 4936 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3456 wrote to memory of 4800 N/A N/A C:\Windows\system32\backgroundTaskHost.exe
PID 3456 wrote to memory of 4800 N/A N/A C:\Windows\system32\backgroundTaskHost.exe
PID 3456 wrote to memory of 4588 N/A N/A C:\Windows\system32\ddodiag.exe
PID 3456 wrote to memory of 4588 N/A N/A C:\Windows\system32\ddodiag.exe
PID 3456 wrote to memory of 4444 N/A N/A C:\Users\Admin\AppData\Local\Hkq\ddodiag.exe
PID 3456 wrote to memory of 4444 N/A N/A C:\Users\Admin\AppData\Local\Hkq\ddodiag.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\112f2eee8508a695eda686e996db0ec7.dll,#1

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe

C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe

C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe

C:\Windows\system32\GamePanel.exe

C:\Windows\system32\GamePanel.exe

C:\Users\Admin\AppData\Local\BIEc4\GamePanel.exe

C:\Users\Admin\AppData\Local\BIEc4\GamePanel.exe

C:\Windows\system32\ddodiag.exe

C:\Windows\system32\ddodiag.exe

C:\Users\Admin\AppData\Local\Hkq\ddodiag.exe

C:\Users\Admin\AppData\Local\Hkq\ddodiag.exe

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/4576-1-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/4576-0-0x00000283E2180000-0x00000283E2187000-memory.dmp

memory/3456-5-0x00007FF92E74A000-0x00007FF92E74B000-memory.dmp

memory/3456-4-0x0000000002910000-0x0000000002911000-memory.dmp

memory/4576-8-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-7-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-9-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-10-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-11-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-12-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-13-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-14-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-15-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-16-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-17-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-18-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-19-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-20-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-21-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-22-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-23-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-25-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-29-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-31-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-32-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-33-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-34-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-30-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-36-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-35-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-37-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-38-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-28-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-39-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-40-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-41-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-27-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-26-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-24-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-42-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-44-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-46-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-45-0x00000000026D0000-0x00000000026D7000-memory.dmp

memory/3456-43-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-53-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-54-0x00007FF92FEA0000-0x00007FF92FEB0000-memory.dmp

memory/3456-63-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3456-65-0x0000000140000000-0x00000001401FE000-memory.dmp

C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe

MD5 d58a8a987a8dafad9dc32a548cc061e7
SHA1 f79fc9e0ab066cad530b949c2153c532a5223156
SHA256 cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4
SHA512 93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

C:\Users\Admin\AppData\Local\ZzO\dxgi.dll

MD5 e679615e49231f415738436603cf794d
SHA1 9f77ef24b216d1a1297f4839dceb182c5af5f009
SHA256 437898630d55c80bc5ac12256899f3b97dded547e076682c9bd0c5b0cb3539e5
SHA512 c2d03d902a1d71027297c5f461c89157ddb03a75898a07c76b8c8c712f7928c8db52dde94de7c07de95b0f11dcbf2484909276c130a450b147cf3633106248d9

memory/2412-75-0x0000000140000000-0x00000001401FF000-memory.dmp

memory/2412-80-0x0000000140000000-0x00000001401FF000-memory.dmp

memory/2412-74-0x000001E062520000-0x000001E062527000-memory.dmp

C:\Users\Admin\AppData\Local\ZzO\dxgi.dll

MD5 bf78a4c45dc664e7c4fa5f8652166480
SHA1 739c1865a11235c9e6ec8affe7160dc18dd7d25e
SHA256 fa360ccef5d668c2a019f2271806d80e2c52101d2696ae85dc78659519c78a0f
SHA512 5e52d1432272cffcbf409d9d74ac1820dbf0b7d49697bc5d0006b249265a1a8f1d2f840cc806e17c86f538d34ea329ce1658c812d90efec2f38c76ab5ab0396d

C:\Users\Admin\AppData\Local\ZzO\ApplicationFrameHost.exe

MD5 cec2396a6eb4cf4d1479acb056799edf
SHA1 24bfb311408282aa296c7b4d977a295eb7f9120b
SHA256 6932acd1a0be81148447dcec6fcf03105ebe91232e76d7dbd0977c747fd0101f
SHA512 02acb2076c871a6385e59d6c442fbac95fbd3f76fdb9ffe5e38a26718a3e716815caeea8f6d337d6889d21fad98ab61dafcf054f4183da5b0b591d5cd517e6d6

C:\Users\Admin\AppData\Local\BIEc4\dwmapi.dll

MD5 146c52d74f722e3d65f184e2e7ce9744
SHA1 099da19869e617cb306bceadb64c3b4eac664542
SHA256 77e39601e54bfbf749ef2c0b147f28b038c81af00eba0a7d9bc002171e997030
SHA512 3feb4b306ce212a085e91fb89c0f45599979a8583ffa73bf3f31ecfb3a21499c658b05570db4ca50321c696de70ea12a1496d5c0c63eaa2786ae81f788c126d1

memory/4800-91-0x000001D72E810000-0x000001D72E817000-memory.dmp

C:\Users\Admin\AppData\Local\BIEc4\dwmapi.dll

MD5 fed8950646aa54c8f5de08385042fcd5
SHA1 540b439950d22af20ab0b9c4a453d3b176db3fd7
SHA256 d595cc0a4559ce6aea22a6077ee107496ceb9c5cdcc66e75c912cef7bc70b8f4
SHA512 3a77cd295fadb3ddc4cde80e9dc56b4972235b31bf615272c3ff48b59008470823b4f18d98468982d91af07a1f693cf9d7bd6f5328fa61573b7997002e7789b6

memory/4800-97-0x0000000140000000-0x00000001401FF000-memory.dmp

C:\Users\Admin\AppData\Local\BIEc4\GamePanel.exe

MD5 15950a043e5f662d1c7d370986dd1862
SHA1 caf15d3411459c27e23ce6badb81cfea85d43e7b
SHA256 9f9cace76a3a858d2ab8ddb81eb9ba13b2b06c096a16dc205f8848e6659bbb7f
SHA512 a80efad05321747aef7003375a86443bc653309fba7bc1caabd41c6a9949ec345d0123e965a0df89a95ec0d85504e3830c3eaac352c519308d049a6e15115e62

C:\Users\Admin\AppData\Local\BIEc4\GamePanel.exe

MD5 5f04c95bd42525180653170f780636a7
SHA1 56eab14e43cfddf0e7f76959305f58dbfb541909
SHA256 1603f5dd468800ff7ecbc14dd9681bc269bbd36d33bd8e28ed31ff14c71f0320
SHA512 df718b67f791416dbe9f58e68d016755494e8cd5672346dd78e5afb89c92df83d5269c922f9c5ed00e4c9d453b7fe909f549511c339bab1c9e0e38eb2047c047

C:\Users\Admin\AppData\Local\Hkq\XmlLite.dll

MD5 0bcb5de30854dc3f4c4164057daa52de
SHA1 03e93c8cc859dece60c74273ddf26e18fcdfac13
SHA256 32601dcf312378e93c6ce39966bab91af07ca44d46ee05f3bea15b806d56646c
SHA512 563e0838918a00515f48f8ced9ed2c58b6a3071e1a8ba8a1a7aff8ed29928c93f2b9dba7637f097409b5918704a342f5cf8c390b806e900d063090bff2226cc4

C:\Users\Admin\AppData\Local\Hkq\ddodiag.exe

MD5 85feee634a6aee90f0108e26d3d9bc1f
SHA1 a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2
SHA256 99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6
SHA512 b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

C:\Users\Admin\AppData\Local\Hkq\XmlLite.dll

MD5 2cf31b577a861187421f8cb60c26708f
SHA1 21411b2362978e35b935e96fdf5527078d86b2c1
SHA256 11f7fcf5aef3a03b8b6b1af1ddeb2d8e6740da8a40e9bb40280f12ee527381da
SHA512 8f7b21dc4a3dbf5cfe849030efa29894ce5e093e2cca2f3addafbc798182d4aaa78636e2d2492cc34b4fba7e7fe7f391b86656b7709a55d9bede1efccb20e656

memory/4444-109-0x0000022A63920000-0x0000022A63927000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 7424236d56761be37a496c9654ca7d8d
SHA1 457c92fb33f522cb6eac355e2c6397e0ed9912e0
SHA256 409741675404e0f5cccc1ae5c6d3894d5da0f4c61b04971c3f5aff0d68171ffc
SHA512 81776ae8f82d404f8f8f908d95aa3dd1d543821452df85572eb7707f6845a36b0955a0a6790358a4b90e57fdbda4e8905a4f5fc8c618cc8c29525755259cf5bb

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-635608581-3370340891-292606865-1000\xZvk\dxgi.dll

MD5 0ab7fb73056dc23d8d091bb2d586bf3a
SHA1 c19625f5c16064b5bc1ae00b0f4531b540e3a874
SHA256 3262ab9026ab1c909fabaf7bca2aee46f93f16f66b2329e49a3fb6619a9ec5a4
SHA512 72ae3ea8cf8b4e0d712122f0749df32351f41495ea59341554f30b9940fffad989db1465d40e3bac9a4a9193e5451e7f7a01c3ab212652efce9216cd2ce38b5b

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\FN\dwmapi.dll

MD5 a2deba4d0c18fb08493e6360cba3be76
SHA1 908196cb52b74e879d25c36b352197241cf3e0dc
SHA256 c9f8b5699c7e82243e4aea8d4cebed26299c576a50c350f57f7add45378f2f17
SHA512 7cafbe33594095066336c41a967131e552195ddabe1c6aa9dd8324a8c1e18f4b9880b33462d926b480fbb8b36a53945d646e96d88fe27a76408ac1dd30374954

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\6HZcJQlXox\XmlLite.dll

MD5 17356b84c8471a6755ea225804f7ed18
SHA1 09cffb4fbdbd1125155716123d10b69b9af9ec18
SHA256 880cc88cde35180d34d1dd544e2716b08a256b447bb0d9fc963411badb18b1c6
SHA512 7d1aa97b9d914b08d53eeca25cc4e694dd0f9ba66d1b5bd94fc842da5a9827f025b3d27cf6c1585776ad4f6000fe0ac835d1f7e191c795fe367eeacc30fbcd73