Analysis Overview
SHA256
a8389eaa6dedbe5086382fec126581a6da38fd49d05da74fba18846fd826d61d
Threat Level: Known bad
The file eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Simda family
simda
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-19 10:55
Signatures
Simda family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-19 10:55
Reported
2024-09-19 10:57
Platform
win7-20240704-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ddc85bf5 = "\x1a=}¶8ñC\a¯ožñÓy‹øpâ\u008f+š§ŽÒg,'\u009d\x7fKE¯ä\x019ñ(âí‚ä\x7f\x19Ä\x0fÛØo\x01\u008d±•uGa)€\x10y”ô\n\u008d»ê@ˆG\u00a0\"ég”\r×¹\"\u00a0\aÿ\u0090#\fÛÝ\u00a0\x05‰\u008d¹\x1dÁŒ)lšE?b\x01/i\x11’•à\x18ýŸÑ˜‚u´±`\tÉõ\a‹ÄˆØTÇWQ%\vÓ}¨0\x14ÕKÛkùÅ\u008d3¥ï\u00a0‰Ììjãï$Y©yÜ\x18¬Ú/›Å‘\x1a‰…Ë\x01Q)\x19\x11\x13ÓßáÄ\x1a¨·Ì:ß9ƒÃ)A¼ïÍ\x14|¿aªŸü\x18!q¤Ä˜\u00adoyD\røM:ìL‚\x17ô½ñš3Ûâ¼¼K<1ß\r‹´\x0f?i\u008dIÙÉŒ›ÊØúY/ß\x13\\\x15\x12%)\x04‚ñ3A" | C:\Windows\apppatch\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ddc85bf5 = "\x1a=}¶8ñC\a¯ožñÓy‹øpâ\u008f+š§ŽÒg,'\u009d\x7fKE¯ä\x019ñ(âí‚ä\x7f\x19Ä\x0fÛØo\x01\u008d±•uGa)€\x10y”ô\n\u008d»ê@ˆG\u00a0\"ég”\r×¹\"\u00a0\aÿ\u0090#\fÛÝ\u00a0\x05‰\u008d¹\x1dÁŒ)lšE?b\x01/i\x11’•à\x18ýŸÑ˜‚u´±`\tÉõ\a‹ÄˆØTÇWQ%\vÓ}¨0\x14ÕKÛkùÅ\u008d3¥ï\u00a0‰Ììjãï$Y©yÜ\x18¬Ú/›Å‘\x1a‰…Ë\x01Q)\x19\x11\x13ÓßáÄ\x1a¨·Ì:ß9ƒÃ)A¼ïÍ\x14|¿aªŸü\x18!q¤Ä˜\u00adoyD\røM:ìL‚\x17ô½ñš3Ûâ¼¼K<1ß\r‹´\x0f?i\u008dIÙÉŒ›ÊØúY/ß\x13\\\x15\x12%)\x04‚ñ3A" | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2724 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 2724 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 2724 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 2724 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 88.221.135.42:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 69.162.80.51:80 | lysyfyj.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 69.162.80.51:80 | lysyfyj.com | tcp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 92.123.143.234:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
| US | 8.8.8.8:53 | ww25.lyxynyx.com | udp |
| US | 199.59.243.226:80 | ww25.lyxynyx.com | tcp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
| US | 44.221.84.105:80 | tcp |
Files
C:\Windows\AppPatch\svchost.exe
| MD5 | c7e079b88a671c3658374897b94714e2 |
| SHA1 | 62cacd99dc1e7b2c612355d9e09862046fdc096c |
| SHA256 | 370b4451099747049a71e847057ad4e4cbd61e2b126c3d9b21f8e5cb44b7338d |
| SHA512 | ef01d2bfd07506d985e4bc7abf456ef3670ca44ef6846f9d260c606aa60833aaaed2f46097368ec457b3ee864f64bc7f0f1fb9132064e4076a7f96a6e87dd1e3 |
memory/2724-12-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2852-14-0x0000000002160000-0x0000000002208000-memory.dmp
memory/2852-16-0x0000000002160000-0x0000000002208000-memory.dmp
memory/2852-24-0x0000000002160000-0x0000000002208000-memory.dmp
memory/2852-22-0x0000000002160000-0x0000000002208000-memory.dmp
memory/2852-20-0x0000000002160000-0x0000000002208000-memory.dmp
memory/2852-18-0x0000000002160000-0x0000000002208000-memory.dmp
memory/2852-25-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-29-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-27-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-31-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-36-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-60-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-76-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-75-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-74-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-73-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-72-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-71-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-70-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-69-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-68-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-67-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-66-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-65-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-64-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-63-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-62-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-61-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-59-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-58-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-55-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-54-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-53-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-52-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-51-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-50-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-49-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-48-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-47-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-46-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-45-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-44-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-43-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-42-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-41-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-40-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-38-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-77-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-37-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-57-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-35-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-56-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-34-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-33-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-32-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-39-0x0000000002310000-0x00000000023C6000-memory.dmp
memory/2852-193-0x0000000002310000-0x00000000023C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\737E.tmp
| MD5 | 926512864979bc27cf187f1de3f57aff |
| SHA1 | acdeb9d6187932613c7fa08eaf28f0cd8116f4b5 |
| SHA256 | b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f |
| SHA512 | f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-19 10:55
Reported
2024-09-19 10:57
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\7f0bb835 = "œm\x15Ò»L‹\tàŒ¹[B\n†Ï\x01=I¥}\x1fAí2ê†\u00a0OÑoš\x15_âw\x12\ab®íÒÙGÿêIi2Ž}eÎZ\x0e\x0e6µ\n•m%:\x1e>…ñª¿êg&ß\x01•%ž%ÇByroW\x7fOB¾5ý*™‡×µµi\x15ŠE>—Å-}N\u00adBßÿŠ/åW×Vª\x1f2\x06÷ç\x1f.ºš•Æš://‘¿=¶¶jÕ\x1a‚\x17šÏ†‰Z-ÿ\x0fß\x17ª\x0e\u008fe÷YZÊ—EZ7*½wŸ¥iêB\u00ad’\x0f-Õ’\"Ê2ObúW\x17úÚ÷§U†7båOMò\"ß=Iš½rO\nªÙšbBß%¦~Áß~ÂŽß\awbŸ¶þöºrÇu…Ò9ϲ§ò§î_uÂîú\u009dE5•ÞÂ1EíWõÅ" | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\7f0bb835 = "œm\x15Ò»L‹\tàŒ¹[B\n†Ï\x01=I¥}\x1fAí2ê†\u00a0OÑoš\x15_âw\x12\ab®íÒÙGÿêIi2Ž}eÎZ\x0e\x0e6µ\n•m%:\x1e>…ñª¿êg&ß\x01•%ž%ÇByroW\x7fOB¾5ý*™‡×µµi\x15ŠE>—Å-}N\u00adBßÿŠ/åW×Vª\x1f2\x06÷ç\x1f.ºš•Æš://‘¿=¶¶jÕ\x1a‚\x17šÏ†‰Z-ÿ\x0fß\x17ª\x0e\u008fe÷YZÊ—EZ7*½wŸ¥iêB\u00ad’\x0f-Õ’\"Ê2ObúW\x17úÚ÷§U†7båOMò\"ß=Iš½rO\nªÙšbBß%¦~Áß~ÂŽß\awbŸ¶þöºrÇu…Ò9ϲ§ò§î_uÂîú\u009dE5•ÞÂ1EíWõÅ" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2072 wrote to memory of 4032 | N/A | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 2072 wrote to memory of 4032 | N/A | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 2072 wrote to memory of 4032 | N/A | C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb2ffbe6faa9889a7e6bf8e31b1835aa_JaffaCakes118.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| GB | 88.221.135.1:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 69.162.80.54:80 | lysyfyj.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 69.162.80.54:80 | lysyfyj.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | ww6.galyqaz.com | udp |
| US | 199.59.243.226:80 | ww6.galyqaz.com | tcp |
| US | 8.8.8.8:53 | 102.119.255.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.240.195.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 226.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 205.71.79.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 136.136.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
| US | 199.59.243.226:80 | ww6.galyqaz.com | tcp |
| US | 8.8.8.8:53 | 20.240.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.182.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.212.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.183.85.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.63.190.64.in-addr.arpa | udp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
| US | 8.8.8.8:53 | vofypuk.com | udp |
| US | 8.8.8.8:53 | qeqykog.com | udp |
| US | 8.8.8.8:53 | puzybep.com | udp |
| US | 8.8.8.8:53 | gadypuw.com | udp |
| US | 8.8.8.8:53 | lymyjon.com | udp |
| US | 8.8.8.8:53 | volybec.com | udp |
| US | 8.8.8.8:53 | qedytul.com | udp |
| US | 8.8.8.8:53 | pumyjig.com | udp |
| US | 8.8.8.8:53 | galyvas.com | udp |
| US | 8.8.8.8:53 | lysytyr.com | udp |
| US | 8.8.8.8:53 | vonyjim.com | udp |
| US | 8.8.8.8:53 | qekyvav.com | udp |
| US | 8.8.8.8:53 | pupytyl.com | udp |
| US | 8.8.8.8:53 | ganyhuh.com | udp |
| US | 8.8.8.8:53 | lykyvod.com | udp |
| US | 8.8.8.8:53 | vopyret.com | udp |
| US | 8.8.8.8:53 | qebyhuq.com | udp |
| US | 8.8.8.8:53 | pujycov.com | udp |
| US | 8.8.8.8:53 | gatyrez.com | udp |
| US | 8.8.8.8:53 | lyvyguj.com | udp |
| US | 8.8.8.8:53 | vojycif.com | udp |
| US | 8.8.8.8:53 | qetyrap.com | udp |
| US | 8.8.8.8:53 | puvygyq.com | udp |
| US | 8.8.8.8:53 | gahycib.com | udp |
| US | 8.8.8.8:53 | lyrywax.com | udp |
| US | 8.8.8.8:53 | vocygyk.com | udp |
| US | 8.8.8.8:53 | qegyxug.com | udp |
| US | 8.8.8.8:53 | purywop.com | udp |
| US | 8.8.8.8:53 | gacyfew.com | udp |
| US | 8.8.8.8:53 | lygyxun.com | udp |
| US | 8.8.8.8:53 | vowyqoc.com | udp |
| US | 8.8.8.8:53 | qexyfel.com | udp |
| US | 8.8.8.8:53 | pufyxug.com | udp |
| US | 8.8.8.8:53 | gaqyqis.com | udp |
| US | 8.8.8.8:53 | lyxyfar.com | udp |
| US | 8.8.8.8:53 | vofyzym.com | udp |
| US | 8.8.8.8:53 | qeqyqiv.com | udp |
| US | 8.8.8.8:53 | gadyzyh.com | udp |
| US | 8.8.8.8:53 | puzydal.com | udp |
| US | 8.8.8.8:53 | lymymud.com | udp |
| US | 8.8.8.8:53 | volydot.com | udp |
| US | 8.8.8.8:53 | qedyleq.com | udp |
| US | 8.8.8.8:53 | pumymuv.com | udp |
| US | 8.8.8.8:53 | galydoz.com | udp |
| US | 8.8.8.8:53 | lysylej.com | udp |
| US | 8.8.8.8:53 | vonymuf.com | udp |
| US | 8.8.8.8:53 | qekysip.com | udp |
| US | 8.8.8.8:53 | ganynyb.com | udp |
| US | 8.8.8.8:53 | pupylaq.com | udp |
| US | 8.8.8.8:53 | lykysix.com | udp |
| US | 8.8.8.8:53 | vopykak.com | udp |
| US | 8.8.8.8:53 | qebynyg.com | udp |
| US | 8.8.8.8:53 | pujypup.com | udp |
| US | 8.8.8.8:53 | gatykow.com | udp |
| US | 8.8.8.8:53 | lyvynen.com | udp |
| US | 8.8.8.8:53 | vojypuc.com | udp |
| US | 8.8.8.8:53 | qetykol.com | udp |
| US | 8.8.8.8:53 | puvybeg.com | udp |
| US | 8.8.8.8:53 | gahypus.com | udp |
| US | 8.8.8.8:53 | lyryjir.com | udp |
| US | 8.8.8.8:53 | vocybam.com | udp |
| US | 8.8.8.8:53 | qegytyv.com | udp |
| US | 8.8.8.8:53 | puryjil.com | udp |
| US | 8.8.8.8:53 | gacyvah.com | udp |
| US | 8.8.8.8:53 | lygytyd.com | udp |
| US | 8.8.8.8:53 | vowyjut.com | udp |
| US | 8.8.8.8:53 | qexyvoq.com | udp |
| US | 8.8.8.8:53 | pufytev.com | udp |
| US | 8.8.8.8:53 | gaqyhuz.com | udp |
| US | 8.8.8.8:53 | lyxyvoj.com | udp |
| US | 8.8.8.8:53 | vofyref.com | udp |
| US | 8.8.8.8:53 | qeqyhup.com | udp |
| US | 8.8.8.8:53 | puzyciq.com | udp |
| US | 8.8.8.8:53 | gadyrab.com | udp |
| US | 8.8.8.8:53 | lymygyx.com | udp |
| US | 8.8.8.8:53 | volycik.com | udp |
| US | 8.8.8.8:53 | qedyrag.com | udp |
| US | 8.8.8.8:53 | pumygyp.com | udp |
| US | 8.8.8.8:53 | galycuw.com | udp |
| US | 8.8.8.8:53 | lysywon.com | udp |
| US | 8.8.8.8:53 | vonygec.com | udp |
| US | 8.8.8.8:53 | qekyxul.com | udp |
| US | 8.8.8.8:53 | pupywog.com | udp |
| US | 8.8.8.8:53 | ganyfes.com | udp |
| US | 8.8.8.8:53 | lykyxur.com | udp |
| US | 8.8.8.8:53 | vopyqim.com | udp |
| US | 8.8.8.8:53 | qebyfav.com | udp |
| US | 8.8.8.8:53 | pujyxyl.com | udp |
| US | 8.8.8.8:53 | gatyqih.com | udp |
| US | 8.8.8.8:53 | lyvyfad.com | udp |
| US | 8.8.8.8:53 | vojyzyt.com | udp |
| US | 8.8.8.8:53 | qetyquq.com | udp |
| US | 8.8.8.8:53 | puvydov.com | udp |
| US | 8.8.8.8:53 | gahyzez.com | udp |
| US | 8.8.8.8:53 | lyrymuj.com | udp |
| US | 8.8.8.8:53 | vocydof.com | udp |
| US | 8.8.8.8:53 | purymuq.com | udp |
| US | 8.8.8.8:53 | qegylep.com | udp |
| US | 8.8.8.8:53 | gacydib.com | udp |
| US | 8.8.8.8:53 | vowymyk.com | udp |
| US | 8.8.8.8:53 | qexysig.com | udp |
| US | 8.8.8.8:53 | pufylap.com | udp |
| US | 8.8.8.8:53 | gaqynyw.com | udp |
| US | 8.8.8.8:53 | lyxysun.com | udp |
| US | 8.8.8.8:53 | vofykoc.com | udp |
| US | 8.8.8.8:53 | puzypug.com | udp |
| US | 8.8.8.8:53 | gadykos.com | udp |
| US | 8.8.8.8:53 | lymyner.com | udp |
| US | 8.8.8.8:53 | pumybal.com | udp |
| US | 8.8.8.8:53 | volypum.com | udp |
| US | 8.8.8.8:53 | galypyh.com | udp |
| US | 8.8.8.8:53 | qedykiv.com | udp |
| US | 8.8.8.8:53 | vonybat.com | udp |
| US | 8.8.8.8:53 | pupyjuv.com | udp |
| US | 8.8.8.8:53 | qekytyq.com | udp |
| US | 8.8.8.8:53 | vopyjuf.com | udp |
| US | 8.8.8.8:53 | ganyvoz.com | udp |
| US | 8.8.8.8:53 | pujyteq.com | udp |
| US | 8.8.8.8:53 | qebyvop.com | udp |
| US | 8.8.8.8:53 | lyvyvix.com | udp |
| US | 8.8.8.8:53 | vojyrak.com | udp |
| US | 8.8.8.8:53 | qetyhyg.com | udp |
| US | 8.8.8.8:53 | puvycip.com | udp |
| US | 8.8.8.8:53 | qeqynel.com | udp |
| US | 8.8.8.8:53 | lykytej.com | udp |
| US | 8.8.8.8:53 | qetyhyg.com | udp |
| US | 64.225.91.73:80 | qetyhyg.com | tcp |
| US | 72.52.179.174:80 | gatyhub.com | tcp |
Files
C:\Windows\apppatch\svchost.exe
| MD5 | 5374ef3902e68a0b4bf21569b049b1d5 |
| SHA1 | 4edd81bbc33659c4f8a7f7cb9b90a4b6d1540d03 |
| SHA256 | b15a87aaa33a9bebaccf388202386dd0a33d7729bc1f8c01d65548f8f939e619 |
| SHA512 | 1b57fb33d22023283a9deeee0640491a3ad359fa909084e43c987e99e31e79067580d9c682a65989e920d6db931e3827fc186b5e1cd2da139e7da72ca872cc13 |
memory/2072-9-0x0000000000400000-0x000000000045F000-memory.dmp
memory/4032-10-0x0000000002720000-0x00000000027C8000-memory.dmp
memory/4032-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-14-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-73-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BAEA.tmp
| MD5 | 3142ba81204411c05fd36611f9df1404 |
| SHA1 | aa36c11356219f2ae63c87815891128c64de758e |
| SHA256 | 037a8d23da10ab17e3b80a23f156e90c1a1d01a428262b2c409d9061d1017537 |
| SHA512 | e903e6514c8a4a715e7c43683dc3d9b892448fe34fcdfb3a0e3ba519901180ec6a95ed5b09101d0837ec203eb4d516a311fbb32f309984862ed62b5b54262ad4 |
memory/4032-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/4032-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BC57.tmp
| MD5 | cd4611cb164dc6fe4b28804f3205e505 |
| SHA1 | 2e214ebf479474cbf082c46f7697cb093e64988d |
| SHA256 | 72b5b049868c636653fc1a7f5379d077f92034f48774f22d1d7b9832d00e613d |
| SHA512 | 28d3e704325dbf7dc972b44763918ba53bc5e7bbda918206bbb56c6c8d765ae8d3a25c75f5033c1524140a13542b9b3cc993b5408fe5b521a0d105375afa622c |
memory/4032-161-0x0000000002B40000-0x0000000002BF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AE9A.tmp
| MD5 | 926512864979bc27cf187f1de3f57aff |
| SHA1 | acdeb9d6187932613c7fa08eaf28f0cd8116f4b5 |
| SHA256 | b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f |
| SHA512 | f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b |