Analysis Overview
SHA256
c214efebc69b53865985a48716f53228f1d706ede14b719e4b36e0ca69463c91
Threat Level: Known bad
The file 2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid was found to be: Known bad.
Malicious Activity Summary
Blackmoon family
Blackmoon, KrBanker
Detect Blackmoon payload
Server Software Component: Terminal Services DLL
UPX packed file
Executes dropped EXE
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Adds Run key to start application
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 06:45
Signatures
Blackmoon family
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 06:45
Reported
2024-06-20 06:48
Platform
win7-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WpnUserService_EF8F0F8\Parameters\ServiceDll = "C:\\Windows\\EF8F0F81B\\WpnUserService_5E54B63.dll" | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\FD6F2E37\tackhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tackhost = "C:\\Windows\\FD6F2E37\\tackhost.exe" | C:\Windows\FD6F2E37\tackhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Install_plugin.dat | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
| File created | C:\Windows\EF8F0F81B\WpnUserService_5E54B63.dll | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
| File created | C:\Windows\Tools_Config.db | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
| File created | C:\Windows\FD6F2E37\tackhost.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\FD6F2E37\tackhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
| N/A | N/A | C:\Windows\FD6F2E37\tackhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1696 wrote to memory of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | C:\Windows\FD6F2E37\tackhost.exe |
| PID 1696 wrote to memory of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | C:\Windows\FD6F2E37\tackhost.exe |
| PID 1696 wrote to memory of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | C:\Windows\FD6F2E37\tackhost.exe |
| PID 1696 wrote to memory of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | C:\Windows\FD6F2E37\tackhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k UnistackSvcGroup_EF8F0F81B
C:\Windows\FD6F2E37\tackhost.exe
"C:\Windows\FD6F2E37\tackhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.bgyedu.wang | udp |
| US | 8.8.8.8:53 | cdn.bgyedu.wang | udp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| US | 8.8.8.8:53 | ia.51.la | udp |
| GB | 104.166.160.226:80 | ia.51.la | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | tcp | |
| CN | 111.229.124.132:9712 | tcp |
Files
memory/1696-0-0x0000000000400000-0x0000000000768000-memory.dmp
memory/1696-1-0x0000000000290000-0x0000000000338000-memory.dmp
\??\c:\windows\ef8f0f81b\wpnuserservice_5e54b63.dll
| MD5 | 05ef45eb35b0f5ac718379a7cf92a14d |
| SHA1 | 8727d5e0e872cbdc98239c0b4419904b248d554a |
| SHA256 | ed75a83c738435bde47b851624c8fc8027ca37613b003ff3690e401a6255122f |
| SHA512 | 9622c1215eab12abca5dec1a4213ec1f1c9bc38599e83a1e66638898e4dc0e9c49e16876720d40f4ee21b4defe9c4e9aff703a9b8d1fb6b5a14c607f88c098c6 |
\Windows\FD6F2E37\tackhost.exe
| MD5 | f4c2390061305ecc066ccd3d6dc5783f |
| SHA1 | 19f6313eecf3b9f602c1da71ad9e96e7c5777b8c |
| SHA256 | 8488571d2439fce34ff8e59ea3364c1b82352561fa3bb6891dcf183d009a0976 |
| SHA512 | 0b7b8155f7ca2819d0dd02d353ff52b7b92e4bbdf0ff8948d99284d017cecabd61d7ea337caeae781e1c94eaec532cdac02b3ab57187dfd2f8b24afc680ff926 |
C:\Windows\Tools_Config.db
| MD5 | 1ff35ce3384cc1b28320a2a9706d4914 |
| SHA1 | 43ee3693c241abe7101b02a42f217034cd17525d |
| SHA256 | a2375892e425134276947e64dc66473f3bcd4e3bfe5e4fc8296e13be62124812 |
| SHA512 | f98bacdd313a790b48edc7628d4cccc040b3df97ef263315c04bc3f01f4d94ea2909f23173d5a7f983558c7801224074b38b28cc3e921d4275772f9eb836bb93 |
C:\Windows\Install_plugin.dat
| MD5 | d6b049cd11c30582792d546a04626ec2 |
| SHA1 | fda4eb26f23cc45bc61dd81369469fb78bb26217 |
| SHA256 | 83c0b76f25745b60fe9e803bb85adf5e1ce9412e092a940db2c21aa8c98f1cf5 |
| SHA512 | 7435bc9fd4dc5f0567528818173e06f5f54011d841cb103f3b8b9024b8d37b631ed436dd142484df29779d946fff3bbc7651abea7b5e14e2782039c087b44f1d |
\Users\Admin\AppData\Local\Temp\owlform.dll
| MD5 | 918d63d796b6507efde17f2a1163e914 |
| SHA1 | 9f1009f12d13b068cff505c2e72116102b314191 |
| SHA256 | 71ec97d12ec941499b22db3d758747acd7c15cfacf88f14c76eb9a728f05cec9 |
| SHA512 | d321f5d48ce5c87c3e1194e833091cce005e48583a1249702e9190b23ea5cbf2a24b99f89108d14ebe68460b1fc615598badc9f98cab1060edd64569b2912441 |
memory/1696-18-0x0000000010000000-0x00000000104AE000-memory.dmp
memory/2632-23-0x00000000001D0000-0x00000000001D8000-memory.dmp
memory/2632-22-0x0000000010000000-0x0000000010090000-memory.dmp
memory/2460-21-0x0000000000210000-0x0000000000218000-memory.dmp
memory/2460-20-0x0000000000350000-0x00000000003E1000-memory.dmp
memory/2632-25-0x0000000010000000-0x0000000010090000-memory.dmp
memory/2460-27-0x0000000000350000-0x00000000003E1000-memory.dmp
memory/1696-31-0x0000000010000000-0x00000000104AE000-memory.dmp
memory/1696-32-0x0000000000400000-0x0000000000768000-memory.dmp
memory/1696-33-0x0000000000290000-0x0000000000338000-memory.dmp
memory/2460-36-0x0000000000210000-0x0000000000218000-memory.dmp
memory/2632-37-0x0000000010000000-0x0000000010090000-memory.dmp
memory/2460-35-0x0000000000350000-0x00000000003E1000-memory.dmp
memory/2632-38-0x00000000001D0000-0x00000000001D8000-memory.dmp
memory/1696-43-0x0000000010000000-0x00000000104AE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 06:45
Reported
2024-06-20 06:48
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
157s
Command Line
Signatures
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WpnUserService_B94FF00\Parameters\ServiceDll = "C:\\Windows\\B94FF0011\\WpnUserService_DCC79B7.dll" | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\7ED89C33\tackhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tackhost = "C:\\Windows\\7ED89C33\\tackhost.exe" | C:\Windows\7ED89C33\tackhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Install_plugin.dat | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
| File created | C:\Windows\B94FF0011\WpnUserService_DCC79B7.dll | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
| File created | C:\Windows\Tools_Config.db | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
| File created | C:\Windows\7ED89C33\tackhost.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\7ED89C33\tackhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
| N/A | N/A | C:\Windows\7ED89C33\tackhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 824 wrote to memory of 3588 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | C:\Windows\7ED89C33\tackhost.exe |
| PID 824 wrote to memory of 3588 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | C:\Windows\7ED89C33\tackhost.exe |
| PID 824 wrote to memory of 3588 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe | C:\Windows\7ED89C33\tackhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_3a15e26a6380b51201447dbc9d96bf29_icedid.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k UnistackSvcGroup_B94FF0011 -s WpnUserService_B94FF00
C:\Windows\7ED89C33\tackhost.exe
"C:\Windows\7ED89C33\tackhost.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.bgyedu.wang | udp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| GB | 23.44.234.16:80 | tcp | |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| US | 8.8.8.8:53 | ia.51.la | udp |
| GB | 104.166.160.226:80 | ia.51.la | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| US | 8.8.8.8:53 | 226.160.166.104.in-addr.arpa | udp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| NL | 52.142.223.178:80 | tcp | |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | cdn.bgyedu.wang | tcp |
| CN | 111.229.124.132:9712 | tcp |
Files
memory/824-0-0x0000000000400000-0x0000000000768000-memory.dmp
memory/824-1-0x00000000024F0000-0x0000000002598000-memory.dmp
\??\c:\windows\b94ff0011\wpnuserservice_dcc79b7.dll
| MD5 | 05ef45eb35b0f5ac718379a7cf92a14d |
| SHA1 | 8727d5e0e872cbdc98239c0b4419904b248d554a |
| SHA256 | ed75a83c738435bde47b851624c8fc8027ca37613b003ff3690e401a6255122f |
| SHA512 | 9622c1215eab12abca5dec1a4213ec1f1c9bc38599e83a1e66638898e4dc0e9c49e16876720d40f4ee21b4defe9c4e9aff703a9b8d1fb6b5a14c607f88c098c6 |
C:\Windows\7ED89C33\tackhost.exe
| MD5 | f4c2390061305ecc066ccd3d6dc5783f |
| SHA1 | 19f6313eecf3b9f602c1da71ad9e96e7c5777b8c |
| SHA256 | 8488571d2439fce34ff8e59ea3364c1b82352561fa3bb6891dcf183d009a0976 |
| SHA512 | 0b7b8155f7ca2819d0dd02d353ff52b7b92e4bbdf0ff8948d99284d017cecabd61d7ea337caeae781e1c94eaec532cdac02b3ab57187dfd2f8b24afc680ff926 |
C:\Windows\Tools_Config.db
| MD5 | e3b22a1dd8039f3b364b471be70fa8cd |
| SHA1 | 6b11af74384aefaeffffd2c7309c037c2dfd902c |
| SHA256 | 4346a6ab79293f28ee9748499af5b33acb4b2cc1020f7e25672ecdade2b31481 |
| SHA512 | 67d8d3ba28cb680d0e62b022bf5a4449870617dcfae873869c841b262b037411a59d97e1565984683ab1b7a4b62777a2ced0c69647cc52154590255cc67faef0 |
C:\Windows\Install_plugin.dat
| MD5 | d6b049cd11c30582792d546a04626ec2 |
| SHA1 | fda4eb26f23cc45bc61dd81369469fb78bb26217 |
| SHA256 | 83c0b76f25745b60fe9e803bb85adf5e1ce9412e092a940db2c21aa8c98f1cf5 |
| SHA512 | 7435bc9fd4dc5f0567528818173e06f5f54011d841cb103f3b8b9024b8d37b631ed436dd142484df29779d946fff3bbc7651abea7b5e14e2782039c087b44f1d |
memory/4264-13-0x0000000000EB0000-0x0000000000F41000-memory.dmp
memory/3588-14-0x0000000010000000-0x0000000010090000-memory.dmp
memory/4264-18-0x0000000000E50000-0x0000000000E58000-memory.dmp
memory/3588-17-0x0000000000630000-0x0000000000638000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\owlform.dll
| MD5 | 918d63d796b6507efde17f2a1163e914 |
| SHA1 | 9f1009f12d13b068cff505c2e72116102b314191 |
| SHA256 | 71ec97d12ec941499b22db3d758747acd7c15cfacf88f14c76eb9a728f05cec9 |
| SHA512 | d321f5d48ce5c87c3e1194e833091cce005e48583a1249702e9190b23ea5cbf2a24b99f89108d14ebe68460b1fc615598badc9f98cab1060edd64569b2912441 |
memory/824-22-0x0000000010000000-0x00000000104AE000-memory.dmp
memory/4264-23-0x0000000000EB0000-0x0000000000F41000-memory.dmp
memory/3588-26-0x0000000010000000-0x0000000010090000-memory.dmp
memory/824-30-0x00000000058E0000-0x0000000005907000-memory.dmp
memory/824-31-0x0000000010000000-0x00000000104AE000-memory.dmp
memory/824-33-0x0000000000400000-0x0000000000768000-memory.dmp
memory/824-34-0x0000000010000000-0x00000000104AE000-memory.dmp
memory/824-35-0x00000000024F0000-0x0000000002598000-memory.dmp
memory/4264-36-0x0000000000EB0000-0x0000000000F41000-memory.dmp
memory/3588-37-0x0000000010000000-0x0000000010090000-memory.dmp
memory/4264-40-0x0000000000E50000-0x0000000000E58000-memory.dmp
memory/3588-39-0x0000000000630000-0x0000000000638000-memory.dmp
memory/824-44-0x0000000010000000-0x00000000104AE000-memory.dmp
memory/824-45-0x0000000010000000-0x00000000104AE000-memory.dmp