Malware Analysis Report

2025-06-16 00:30

Sample ID 240919-mz5hyavbqc
Target eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118
SHA256 a8389eaa6dedbe5086382fec126581a6da38fd49d05da74fba18846fd826d61d
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8389eaa6dedbe5086382fec126581a6da38fd49d05da74fba18846fd826d61d

Threat Level: Known bad

The file eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

Modifies WinLogon for persistence

Simda family

simda

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-19 10:55

Signatures

Simda family

simda

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-19 10:55

Reported

2024-09-19 10:57

Platform

win7-20240704-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ddc85bf5 = "\x1a=}¶8ñC\a¯ožñÓy‹øpâ\u008f+š§ŽÒg,'\u009d\x7fKE¯ä\x019ñ(âí‚ä\x7f\x19Ä\x0fÛØo\x01\u008d±•uGa)€\x10y”ô\n\u008d»ê@ˆG\u00a0\"ég”\r×¹\"\u00a0\aÿ\u0090#\fÛÝ\u00a0\x05‰\u008d¹\x1dÁŒ)lšE?b\x01/i\x11’•à\x18ýŸÑ˜‚u´±`\tÉõ\a‹ÄˆØTÇWQ%\vÓ}¨0\x14ÕKÛkùÅ\u008d3¥ï\u00a0‰Ììjãï$Y©yÜ\x18¬Ú/›Å‘\x1a‰…Ë\x01Q)\x19\x11\x13ÓßáÄ\x1a¨·Ì:ß9ƒÃ)A¼ïÍ\x14|¿aªŸü\x18!q¤Ä˜\u00adoyD\røM:ìL‚\x17ô½ñš3Ûâ¼¼K<1ß\r‹´\x0f?i\u008dIÙÉŒ›ÊØúY/ß\x13\\\x15\x12%)\x04‚ñ3A" C:\Windows\apppatch\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ddc85bf5 = "\x1a=}¶8ñC\a¯ožñÓy‹øpâ\u008f+š§ŽÒg,'\u009d\x7fKE¯ä\x019ñ(âí‚ä\x7f\x19Ä\x0fÛØo\x01\u008d±•uGa)€\x10y”ô\n\u008d»ê@ˆG\u00a0\"ég”\r×¹\"\u00a0\aÿ\u0090#\fÛÝ\u00a0\x05‰\u008d¹\x1dÁŒ)lšE?b\x01/i\x11’•à\x18ýŸÑ˜‚u´±`\tÉõ\a‹ÄˆØTÇWQ%\vÓ}¨0\x14ÕKÛkùÅ\u008d3¥ï\u00a0‰Ììjãï$Y©yÜ\x18¬Ú/›Å‘\x1a‰…Ë\x01Q)\x19\x11\x13ÓßáÄ\x1a¨·Ì:ß9ƒÃ)A¼ïÍ\x14|¿aªŸü\x18!q¤Ä˜\u00adoyD\røM:ìL‚\x17ô½ñš3Ûâ¼¼K<1ß\r‹´\x0f?i\u008dIÙÉŒ›ÊØúY/ß\x13\\\x15\x12%)\x04‚ñ3A" C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 88.221.135.42:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 13.248.252.114:80 puzylyp.com tcp
US 69.162.80.51:80 lysyfyj.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 172.67.173.131:80 qegyhig.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 69.162.80.51:80 lysyfyj.com tcp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 www.gahyqah.com udp
US 172.67.173.131:443 qegyhig.com tcp
US 8.8.8.8:53 qetyfuv.com udp
DE 178.162.203.211:80 gatyfus.com tcp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 199.191.50.83:80 galyqaz.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 172.234.222.143:80 vojyqem.com tcp
GB 142.250.200.35:80 c.pki.goog tcp
US 172.67.173.131:443 qegyhig.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
DE 178.162.203.226:80 gatyfus.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 92.123.143.234:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 13.248.252.114:80 puzylyp.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 lyrysor.com udp
US 76.223.54.146:80 pupydeq.com tcp
US 104.21.26.151:80 lysyvan.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 76.223.54.146:80 pupydeq.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 puzyguv.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 64.225.91.73:80 galynuh.com tcp
US 103.224.182.252:80 vofycot.com tcp
US 15.197.240.20:80 qexyhuv.com tcp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 qegyval.com udp
US 103.224.212.210:80 lyxynyx.com tcp
US 44.221.84.105:80 gadyciz.com tcp
HK 154.85.183.50:80 qegyval.com tcp
US 8.8.8.8:53 ww16.vofycot.com udp
DE 64.190.63.136:80 ww16.vofycot.com tcp
US 8.8.8.8:53 ww25.lyxynyx.com udp
US 199.59.243.226:80 ww25.lyxynyx.com tcp
US 15.197.240.20:80 qexyhuv.com tcp
US 44.221.84.105:80 tcp

Files

C:\Windows\AppPatch\svchost.exe

MD5 c7e079b88a671c3658374897b94714e2
SHA1 62cacd99dc1e7b2c612355d9e09862046fdc096c
SHA256 370b4451099747049a71e847057ad4e4cbd61e2b126c3d9b21f8e5cb44b7338d
SHA512 ef01d2bfd07506d985e4bc7abf456ef3670ca44ef6846f9d260c606aa60833aaaed2f46097368ec457b3ee864f64bc7f0f1fb9132064e4076a7f96a6e87dd1e3

memory/2724-12-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2852-14-0x0000000002160000-0x0000000002208000-memory.dmp

memory/2852-16-0x0000000002160000-0x0000000002208000-memory.dmp

memory/2852-24-0x0000000002160000-0x0000000002208000-memory.dmp

memory/2852-22-0x0000000002160000-0x0000000002208000-memory.dmp

memory/2852-20-0x0000000002160000-0x0000000002208000-memory.dmp

memory/2852-18-0x0000000002160000-0x0000000002208000-memory.dmp

memory/2852-25-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-29-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-27-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-31-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-36-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-60-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-76-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-75-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-74-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-73-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-72-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-71-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-70-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-69-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-68-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-67-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-66-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-65-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-64-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-63-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-62-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-61-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-59-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-58-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-55-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-54-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-53-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-52-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-51-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-50-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-49-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-48-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-47-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-46-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-45-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-44-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-43-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-42-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-41-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-40-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-38-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-77-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-37-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-57-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-35-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-56-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-34-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-33-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-32-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-39-0x0000000002310000-0x00000000023C6000-memory.dmp

memory/2852-193-0x0000000002310000-0x00000000023C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\737E.tmp

MD5 926512864979bc27cf187f1de3f57aff
SHA1 acdeb9d6187932613c7fa08eaf28f0cd8116f4b5
SHA256 b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f
SHA512 f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-19 10:55

Reported

2024-09-19 10:57

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\7f0bb835 = "œm\x15Ò»L‹\tàŒ¹[B\n†Ï\x01=I¥}\x1fAí2ê†\u00a0OÑoš\x15_âw\x12\ab®íÒÙGÿêIi2Ž}eÎZ\x0e\x0e6µ\n•m%:\x1e>…ñª¿êg&ß\x01•%ž%ÇByroW\x7fOB¾5ý*™‡×µµi\x15ŠE>—Å-}N\u00adBßÿŠ/åW×Vª\x1f2\x06÷ç\x1f.ºš•Æš://‘¿=¶¶jÕ\x1a‚\x17šÏ†‰Z-ÿ\x0fß\x17ª\x0e\u008fe÷YZÊ—EZ7*½wŸ¥iêB\u00ad’\x0f-Õ’\"Ê2ObúW\x17úÚ÷§U†7båOMò\"ß=Iš½rO\nªÙšbBß%¦~Áß~ÂŽß\awbŸ¶þöºrÇu…Ò9ϲ§ò§î_uÂîú\u009dE5•ÞÂ1EíWõÅ" C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\7f0bb835 = "œm\x15Ò»L‹\tàŒ¹[B\n†Ï\x01=I¥}\x1fAí2ê†\u00a0OÑoš\x15_âw\x12\ab®íÒÙGÿêIi2Ž}eÎZ\x0e\x0e6µ\n•m%:\x1e>…ñª¿êg&ß\x01•%ž%ÇByroW\x7fOB¾5ý*™‡×µµi\x15ŠE>—Å-}N\u00adBßÿŠ/åW×Vª\x1f2\x06÷ç\x1f.ºš•Æš://‘¿=¶¶jÕ\x1a‚\x17šÏ†‰Z-ÿ\x0fß\x17ª\x0e\u008fe÷YZÊ—EZ7*½wŸ¥iêB\u00ad’\x0f-Õ’\"Ê2ObúW\x17úÚ÷§U†7båOMò\"ß=Iš½rO\nªÙšbBß%¦~Áß~ÂŽß\awbŸ¶þöºrÇu…Ò9ϲ§ò§î_uÂîú\u009dE5•ÞÂ1EíWõÅ" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
GB 88.221.135.1:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 162.255.119.102:80 gahyqah.com tcp
US 8.8.8.8:53 galyqaz.com udp
DE 178.162.203.211:80 gatyfus.com tcp
US 172.67.173.131:80 qegyhig.com tcp
US 13.248.252.114:80 puzylyp.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 69.162.80.54:80 lysyfyj.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 69.162.80.54:80 lysyfyj.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
US 8.8.8.8:53 ww6.galyqaz.com udp
US 199.59.243.226:80 ww6.galyqaz.com tcp
US 8.8.8.8:53 102.119.255.162.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 1.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 131.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 54.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 172.67.173.131:443 qegyhig.com tcp
US 8.8.8.8:53 226.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 5.79.71.205:80 gatyfus.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 8.8.8.8:53 205.71.79.5.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 44.221.84.105:80 vocyzit.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 13.248.252.114:80 puzylyp.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 pupydeq.com udp
US 13.248.169.48:80 pupydeq.com tcp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 pupycag.com udp
US 18.208.156.248:80 pupycag.com tcp
US 172.67.136.136:80 lysyvan.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 8.8.8.8:53 136.136.67.172.in-addr.arpa udp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 172.67.136.136:443 lysyvan.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 13.248.169.48:80 pupydeq.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 puzyguv.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 vofycot.com udp
US 103.224.182.252:80 vofycot.com tcp
US 64.225.91.73:80 galynuh.com tcp
US 8.8.8.8:53 lyxynyx.com udp
US 15.197.240.20:80 qexyhuv.com tcp
US 8.8.8.8:53 gadyciz.com udp
US 103.224.212.210:80 lyxynyx.com tcp
US 44.221.84.105:80 gadyciz.com tcp
HK 154.85.183.50:80 qegyval.com tcp
US 8.8.8.8:53 ww16.vofycot.com udp
DE 64.190.63.136:80 ww16.vofycot.com tcp
US 199.59.243.226:80 ww6.galyqaz.com tcp
US 8.8.8.8:53 20.240.197.15.in-addr.arpa udp
US 8.8.8.8:53 252.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 210.212.224.103.in-addr.arpa udp
US 8.8.8.8:53 50.183.85.154.in-addr.arpa udp
US 8.8.8.8:53 136.63.190.64.in-addr.arpa udp
US 15.197.240.20:80 qexyhuv.com tcp
US 8.8.8.8:53 vofypuk.com udp
US 8.8.8.8:53 qeqykog.com udp
US 8.8.8.8:53 puzybep.com udp
US 8.8.8.8:53 gadypuw.com udp
US 8.8.8.8:53 lymyjon.com udp
US 8.8.8.8:53 volybec.com udp
US 8.8.8.8:53 qedytul.com udp
US 8.8.8.8:53 pumyjig.com udp
US 8.8.8.8:53 galyvas.com udp
US 8.8.8.8:53 lysytyr.com udp
US 8.8.8.8:53 vonyjim.com udp
US 8.8.8.8:53 qekyvav.com udp
US 8.8.8.8:53 pupytyl.com udp
US 8.8.8.8:53 ganyhuh.com udp
US 8.8.8.8:53 lykyvod.com udp
US 8.8.8.8:53 vopyret.com udp
US 8.8.8.8:53 qebyhuq.com udp
US 8.8.8.8:53 pujycov.com udp
US 8.8.8.8:53 gatyrez.com udp
US 8.8.8.8:53 lyvyguj.com udp
US 8.8.8.8:53 vojycif.com udp
US 8.8.8.8:53 qetyrap.com udp
US 8.8.8.8:53 puvygyq.com udp
US 8.8.8.8:53 gahycib.com udp
US 8.8.8.8:53 lyrywax.com udp
US 8.8.8.8:53 vocygyk.com udp
US 8.8.8.8:53 qegyxug.com udp
US 8.8.8.8:53 purywop.com udp
US 8.8.8.8:53 gacyfew.com udp
US 8.8.8.8:53 lygyxun.com udp
US 8.8.8.8:53 vowyqoc.com udp
US 8.8.8.8:53 qexyfel.com udp
US 8.8.8.8:53 pufyxug.com udp
US 8.8.8.8:53 gaqyqis.com udp
US 8.8.8.8:53 lyxyfar.com udp
US 8.8.8.8:53 vofyzym.com udp
US 8.8.8.8:53 qeqyqiv.com udp
US 8.8.8.8:53 gadyzyh.com udp
US 8.8.8.8:53 puzydal.com udp
US 8.8.8.8:53 lymymud.com udp
US 8.8.8.8:53 volydot.com udp
US 8.8.8.8:53 qedyleq.com udp
US 8.8.8.8:53 pumymuv.com udp
US 8.8.8.8:53 galydoz.com udp
US 8.8.8.8:53 lysylej.com udp
US 8.8.8.8:53 vonymuf.com udp
US 8.8.8.8:53 qekysip.com udp
US 8.8.8.8:53 ganynyb.com udp
US 8.8.8.8:53 pupylaq.com udp
US 8.8.8.8:53 lykysix.com udp
US 8.8.8.8:53 vopykak.com udp
US 8.8.8.8:53 qebynyg.com udp
US 8.8.8.8:53 pujypup.com udp
US 8.8.8.8:53 gatykow.com udp
US 8.8.8.8:53 lyvynen.com udp
US 8.8.8.8:53 vojypuc.com udp
US 8.8.8.8:53 qetykol.com udp
US 8.8.8.8:53 puvybeg.com udp
US 8.8.8.8:53 gahypus.com udp
US 8.8.8.8:53 lyryjir.com udp
US 8.8.8.8:53 vocybam.com udp
US 8.8.8.8:53 qegytyv.com udp
US 8.8.8.8:53 puryjil.com udp
US 8.8.8.8:53 gacyvah.com udp
US 8.8.8.8:53 lygytyd.com udp
US 8.8.8.8:53 vowyjut.com udp
US 8.8.8.8:53 qexyvoq.com udp
US 8.8.8.8:53 pufytev.com udp
US 8.8.8.8:53 gaqyhuz.com udp
US 8.8.8.8:53 lyxyvoj.com udp
US 8.8.8.8:53 vofyref.com udp
US 8.8.8.8:53 qeqyhup.com udp
US 8.8.8.8:53 puzyciq.com udp
US 8.8.8.8:53 gadyrab.com udp
US 8.8.8.8:53 lymygyx.com udp
US 8.8.8.8:53 volycik.com udp
US 8.8.8.8:53 qedyrag.com udp
US 8.8.8.8:53 pumygyp.com udp
US 8.8.8.8:53 galycuw.com udp
US 8.8.8.8:53 lysywon.com udp
US 8.8.8.8:53 vonygec.com udp
US 8.8.8.8:53 qekyxul.com udp
US 8.8.8.8:53 pupywog.com udp
US 8.8.8.8:53 ganyfes.com udp
US 8.8.8.8:53 lykyxur.com udp
US 8.8.8.8:53 vopyqim.com udp
US 8.8.8.8:53 qebyfav.com udp
US 8.8.8.8:53 pujyxyl.com udp
US 8.8.8.8:53 gatyqih.com udp
US 8.8.8.8:53 lyvyfad.com udp
US 8.8.8.8:53 vojyzyt.com udp
US 8.8.8.8:53 qetyquq.com udp
US 8.8.8.8:53 puvydov.com udp
US 8.8.8.8:53 gahyzez.com udp
US 8.8.8.8:53 lyrymuj.com udp
US 8.8.8.8:53 vocydof.com udp
US 8.8.8.8:53 purymuq.com udp
US 8.8.8.8:53 qegylep.com udp
US 8.8.8.8:53 gacydib.com udp
US 8.8.8.8:53 vowymyk.com udp
US 8.8.8.8:53 qexysig.com udp
US 8.8.8.8:53 pufylap.com udp
US 8.8.8.8:53 gaqynyw.com udp
US 8.8.8.8:53 lyxysun.com udp
US 8.8.8.8:53 vofykoc.com udp
US 8.8.8.8:53 puzypug.com udp
US 8.8.8.8:53 gadykos.com udp
US 8.8.8.8:53 lymyner.com udp
US 8.8.8.8:53 pumybal.com udp
US 8.8.8.8:53 volypum.com udp
US 8.8.8.8:53 galypyh.com udp
US 8.8.8.8:53 qedykiv.com udp
US 8.8.8.8:53 vonybat.com udp
US 8.8.8.8:53 pupyjuv.com udp
US 8.8.8.8:53 qekytyq.com udp
US 8.8.8.8:53 vopyjuf.com udp
US 8.8.8.8:53 ganyvoz.com udp
US 8.8.8.8:53 pujyteq.com udp
US 8.8.8.8:53 qebyvop.com udp
US 8.8.8.8:53 lyvyvix.com udp
US 8.8.8.8:53 vojyrak.com udp
US 8.8.8.8:53 qetyhyg.com udp
US 8.8.8.8:53 puvycip.com udp
US 8.8.8.8:53 qeqynel.com udp
US 8.8.8.8:53 lykytej.com udp
US 8.8.8.8:53 qetyhyg.com udp
US 64.225.91.73:80 qetyhyg.com tcp
US 72.52.179.174:80 gatyhub.com tcp

Files

C:\Windows\apppatch\svchost.exe

MD5 5374ef3902e68a0b4bf21569b049b1d5
SHA1 4edd81bbc33659c4f8a7f7cb9b90a4b6d1540d03
SHA256 b15a87aaa33a9bebaccf388202386dd0a33d7729bc1f8c01d65548f8f939e619
SHA512 1b57fb33d22023283a9deeee0640491a3ad359fa909084e43c987e99e31e79067580d9c682a65989e920d6db931e3827fc186b5e1cd2da139e7da72ca872cc13

memory/2072-9-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4032-10-0x0000000002720000-0x00000000027C8000-memory.dmp

memory/4032-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-14-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-73-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BAEA.tmp

MD5 3142ba81204411c05fd36611f9df1404
SHA1 aa36c11356219f2ae63c87815891128c64de758e
SHA256 037a8d23da10ab17e3b80a23f156e90c1a1d01a428262b2c409d9061d1017537
SHA512 e903e6514c8a4a715e7c43683dc3d9b892448fe34fcdfb3a0e3ba519901180ec6a95ed5b09101d0837ec203eb4d516a311fbb32f309984862ed62b5b54262ad4

memory/4032-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/4032-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BC57.tmp

MD5 cd4611cb164dc6fe4b28804f3205e505
SHA1 2e214ebf479474cbf082c46f7697cb093e64988d
SHA256 72b5b049868c636653fc1a7f5379d077f92034f48774f22d1d7b9832d00e613d
SHA512 28d3e704325dbf7dc972b44763918ba53bc5e7bbda918206bbb56c6c8d765ae8d3a25c75f5033c1524140a13542b9b3cc993b5408fe5b521a0d105375afa622c

memory/4032-161-0x0000000002B40000-0x0000000002BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AE9A.tmp

MD5 926512864979bc27cf187f1de3f57aff
SHA1 acdeb9d6187932613c7fa08eaf28f0cd8116f4b5
SHA256 b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f
SHA512 f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b