Analysis Overview
SHA256
4901c2eb26cc12e6d550d2d266a86b9a850b7d1becfedb1ca991fce14d4d7ac9
Threat Level: Known bad
The file ebc25e76c2086197bb78897cc6be8642_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Simda family
Modifies WinLogon for persistence
simda
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-19 16:42
Signatures
Simda family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-19 16:42
Reported
2024-09-19 16:45
Platform
win7-20240708-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3e01c51 = "ËÐâç44\x03->—âä¶Î\u0090Ë9\x12\x19_…°CÖ_ë\a!ô·L\x064)“\u00a0‡¾š\x05fˆ¿\x02£Ò2ä\x7fƒµ^\x184à+gÝÉ[LÏè¿&9\nŠ«.\u0081šëqV¢é;’T@s„;L’öÝ\x06ˆ–hVÝ~hR© öC+öåêÆîä¬\na\f\x1c.\x1cΚº¶\x19\x18)RÊ+Éfq&Mx\x17ãaÏ4f\u00adŽ…ä\x0f\x17ò’/\u008f¬¿\x0e<d›ªÆÔ¾<sb¬ól„¨èˆímxá÷©\x1d×\x104Ó “.äU °\bè@·¶\u00a0íÒ\v¾‘\x14þCaƺA&÷BÐö¥–íˆÓ“ä¿§\u00a0\x7f“ÿ¿hà¹Ch\x03¶\x1cÀ=fƺ\f÷ê¶2è¶UQ\x01B\x06\x18ý\x14.\\'©. \x1dqhT" | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3e01c51 = "ËÐâç44\x03->—âä¶Î\u0090Ë9\x12\x19_…°CÖ_ë\a!ô·L\x064)“\u00a0‡¾š\x05fˆ¿\x02£Ò2ä\x7fƒµ^\x184à+gÝÉ[LÏè¿&9\nŠ«.\u0081šëqV¢é;’T@s„;L’öÝ\x06ˆ–hVÝ~hR© öC+öåêÆîä¬\na\f\x1c.\x1cΚº¶\x19\x18)RÊ+Éfq&Mx\x17ãaÏ4f\u00adŽ…ä\x0f\x17ò’/\u008f¬¿\x0e<d›ªÆÔ¾<sb¬ól„¨èˆímxá÷©\x1d×\x104Ó “.äU °\bè@·¶\u00a0íÒ\v¾‘\x14þCaƺA&÷BÐö¥–íˆÓ“ä¿§\u00a0\x7f“ÿ¿hà¹Ch\x03¶\x1cÀ=fƺ\f÷ê¶2è¶UQ\x01B\x06\x18ý\x14.\\'©. \x1dqhT" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 2220 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 2220 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 2220 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 95.101.143.177:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | ww5.galyqaz.com | udp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 76.223.26.96:80 | ww5.galyqaz.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 92.123.140.32:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 8.8.8.8:53 | ww25.lyxynyx.com | udp |
| US | 199.59.243.226:80 | ww25.lyxynyx.com | tcp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
Files
\Windows\AppPatch\svchost.exe
| MD5 | af973fd6117ff03900d671a621bde68b |
| SHA1 | b56c737de9154d22ada4c0919de4d00eb7a1bb14 |
| SHA256 | 3e364c6ffc6801e692761f663d6c5cf707ee6471388fdcab891fbdf4b9ed839a |
| SHA512 | 9f876275e4bf4496656b78d8c11d0a43017105d065f04a98b4f46cfd027cf4e86609c444da6841e644a25bef0398930aefc486453eb8b5dc89b2bf807994c1db |
memory/2220-13-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2408-16-0x00000000020A0000-0x0000000002148000-memory.dmp
memory/2408-24-0x00000000020A0000-0x0000000002148000-memory.dmp
memory/2408-22-0x00000000020A0000-0x0000000002148000-memory.dmp
memory/2408-20-0x00000000020A0000-0x0000000002148000-memory.dmp
memory/2408-18-0x00000000020A0000-0x0000000002148000-memory.dmp
memory/2408-14-0x00000000020A0000-0x0000000002148000-memory.dmp
memory/2408-25-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-29-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-27-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-31-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-56-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-68-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-77-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-76-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-75-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-74-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-73-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-72-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-70-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-69-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-67-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-66-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-65-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-64-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-63-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-62-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-61-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-60-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-59-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-58-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-57-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-55-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-54-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-53-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-52-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-51-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-50-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-49-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-47-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-46-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-45-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-44-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-43-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-42-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-41-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-40-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-39-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-37-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-71-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-36-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-35-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-34-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-48-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-33-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-32-0x00000000021B0000-0x0000000002266000-memory.dmp
memory/2408-38-0x00000000021B0000-0x0000000002266000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A500.tmp
| MD5 | 326739781283f38a7bf84b8bdf8eff24 |
| SHA1 | 7b61df41335d3134973cf8fbc3cc4839a4caad38 |
| SHA256 | e3e44602927b602bd62159bd791f2afb71f73be05f8b0a75b8a7f8375b7a0d93 |
| SHA512 | 8c9445112d68102790e4310230f2b2191954a1771d1bccd6c7e1f805bb09099ce1f2f982857f8344245b9939639d1646e6c67893deb94d5f61502f77810960e6 |
memory/2408-188-0x00000000021B0000-0x0000000002266000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B8BA.tmp
| MD5 | 926512864979bc27cf187f1de3f57aff |
| SHA1 | acdeb9d6187932613c7fa08eaf28f0cd8116f4b5 |
| SHA256 | b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f |
| SHA512 | f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-19 16:42
Reported
2024-09-19 16:45
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\492f9239 = ">\u008f\x01\x10ÿ&É[\næ\vü\x05\x18ý™º\x15O‰¶V~\u008d\u0081\u008dÓÓP˜\u009d<¾–ÍPÆ6\u00a0Õt¯à(= \x1dÀ]Ä/‡Õ>½\u008f(-upþ" | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\492f9239 = ">\u008f\x01\x10ÿ&É[\næ\vü\x05\x18ý™º\x15O‰¶V~\u008d\u0081\u008dÓÓP˜\u009d<¾–ÍPÆ6\u00a0Õt¯à(= \x1dÀ]Ä/‡Õ>½\u008f(-upþ" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | N/A |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3052 wrote to memory of 3432 | N/A | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 3052 wrote to memory of 3432 | N/A | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
| PID 3052 wrote to memory of 3432 | N/A | C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebc25e76c2086197bb78897cc6be8642_JaffaCakes118.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| GB | 88.221.135.1:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 131.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.31.17.85.in-addr.arpa | udp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 136.136.67.172.in-addr.arpa | udp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
| US | 8.8.8.8:53 | 252.182.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.183.85.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
| US | 8.8.8.8:53 | ww25.lyxynyx.com | udp |
| US | 199.59.243.226:80 | ww25.lyxynyx.com | tcp |
| US | 8.8.8.8:53 | 136.63.190.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.240.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.212.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.243.59.199.in-addr.arpa | udp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
Files
C:\Windows\apppatch\svchost.exe
| MD5 | a469791bbf741a0ec0b7e8d93d01dcfd |
| SHA1 | e764c12e0f267aa2f04ed4211bf985f8d8623fb4 |
| SHA256 | 3a242179acd78dd142d3d97e6d57322484f165672955eb46444778d2650c2952 |
| SHA512 | 99a5f72c603f98ce0ea27fd8da073b4c2bf0f017bbb9265f7d1c3f3e9d2ebfdecb544e542ab744dcb8690ca3d5fd1f3d0558d2d1f85bc09d688ff9a1bf40e9c8 |
memory/3052-8-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3432-10-0x0000000002720000-0x00000000027C8000-memory.dmp
memory/3432-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-15-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-14-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-11-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-73-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3432-158-0x0000000002B40000-0x0000000002BF6000-memory.dmp