Malware Analysis Report

2025-06-16 00:31

Sample ID 240919-whbnzasdjn
Target 8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N
SHA256 8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697

Threat Level: Known bad

The file 8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

simda

Simda family

Modifies WinLogon for persistence

Loads dropped DLL

Executes dropped EXE

Modifies WinLogon

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-19 17:54

Signatures

Simda family

simda

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-19 17:54

Reported

2024-09-19 17:56

Platform

win7-20240903-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b7504011 = "Nš™€6`)\b@î·3(.µ™\x11Ëu2„1¦çšÑ\u008f5{(ú=*\x1f\x17¾³oÿ\x06ïÀ\x17¾\x12_÷\x06\x7fç\x06çØ•gÞ\x18ßm•ºµ\x16#ÆËç\x15Ož(vB\x1aV\x17\x06Õ" C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b7504011 = "Nš™€6`)\b@î·3(.µ™\x11Ëu2„1¦çšÑ\u008f5{(ú=*\x1f\x17¾³oÿ\x06ïÀ\x17¾\x12_÷\x06\x7fç\x06çØ•gÞ\x18ßm•ºµ\x16#ÆËç\x15Ož(vB\x1aV\x17\x06Õ" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe

"C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 88.221.135.1:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 69.162.80.52:80 lysyfyj.com tcp
US 69.162.80.52:80 lysyfyj.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 172.234.222.138:80 vojyqem.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 172.67.173.131:80 qegyhig.com tcp
US 23.253.46.64:80 gahyqah.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 172.234.222.138:80 vojyqem.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
US 8.8.8.8:53 galyqaz.com udp
US 199.191.50.83:80 galyqaz.com tcp
US 8.8.8.8:53 ww5.galyqaz.com udp
US 76.223.26.96:80 ww5.galyqaz.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 13.248.252.114:80 puzylyp.com tcp
DE 178.162.203.226:80 gatyfus.com tcp
NL 85.17.31.82:80 gatyfus.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
NL 5.79.71.225:80 gatyfus.com tcp
US 99.83.138.213:80 puzylyp.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
US 13.248.252.114:80 puzylyp.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
NL 5.79.71.205:80 gatyfus.com tcp

Files

\Windows\AppPatch\svchost.exe

MD5 fb4c0e154913217f3471bda1cac3f8e0
SHA1 3b82a4ca82fc322a10b8f2292ea41d55f93b776d
SHA256 0b41ba37c57a446748a836655641a5ef27bef8a373b7ed8cf3ca9c8786fdb945
SHA512 7c03aeb10292ee82e260f288c9015a3b9c82b61ef5b758ad262b8f9b6a0994c60e9eb8cab180c55985d378d65a6fec400727ff24818ca00ae55126de0f5ec21f

memory/2544-13-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2652-14-0x00000000021A0000-0x0000000002248000-memory.dmp

memory/2652-24-0x00000000021A0000-0x0000000002248000-memory.dmp

memory/2652-22-0x00000000021A0000-0x0000000002248000-memory.dmp

memory/2652-20-0x00000000021A0000-0x0000000002248000-memory.dmp

memory/2652-18-0x00000000021A0000-0x0000000002248000-memory.dmp

memory/2652-16-0x00000000021A0000-0x0000000002248000-memory.dmp

memory/2652-30-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-29-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-27-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-38-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-46-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-61-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-65-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-64-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-63-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-62-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-60-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-59-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-58-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-57-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-56-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-55-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-54-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-53-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-52-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-51-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-50-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-49-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-48-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-47-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-45-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-44-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-43-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-42-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-41-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-40-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-39-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-32-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-37-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-36-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-35-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-34-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-33-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-67-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-78-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-77-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-76-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-75-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-74-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-73-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-72-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-71-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-70-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-68-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-66-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-69-0x0000000002350000-0x0000000002406000-memory.dmp

memory/2652-150-0x0000000002350000-0x0000000002406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED74.tmp

MD5 8b02ce7de4d1479204d79e239784fa3d
SHA1 8874ff25d4f856972784644b97aed636f1450147
SHA256 a4236c08ae6e1801a7ef32ff6ba1f0a64175ce6e751e9ab169fcef58b71ccb7d
SHA512 2236b337d3955f78d1b4bb61bfc177d62a980db49134e3e23d6881152e8e410c785930a8631036e58f88206d35f5726de29d40117e307670dff3dba17eb85f7b

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-19 17:54

Reported

2024-09-19 17:56

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\c67ad503 = "\x192_\x19Çxˆç—œóM„xä$X¾W\x1f\u00a0Dfº§ã\fËx˜µs\x10h–\x16\x10ž\u009d°5÷\x0eº¸Žïx´\aÅó3cØÝ_mk–·\x03è2\x0e\u0090Dà\u00a0hÆ@Ý\x7f\u00ad<ëÞtÊ{,î8ËRdçï\nÚÞ\väfÚ§Å8P‚\a\blÚn\u009dÃ\x1bƒü\u008f°j,¢\x1b\x14JžˆçÀì•\b@\\û¶%¦\u0090z\x03§½¸>\x1d\\Ø\x05\u008fÒBõõ¸pnåˆ\b\bö\x1c—žBÛ&Í×4Í\x0fÝkzZ|€E\x1aô`7\u00a0\x17í\aºT4Ó“³Üßĺ”W\x05®OBì˜8\rëôìb£ÄÜÀoƒ5ã\x1alEÃ(tðôç¬Me\x16ø$" C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\c67ad503 = "\x192_\x19Çxˆç—œóM„xä$X¾W\x1f\u00a0Dfº§ã\fËx˜µs\x10h–\x16\x10ž\u009d°5÷\x0eº¸Žïx´\aÅó3cØÝ_mk–·\x03è2\x0e\u0090Dà\u00a0hÆ@Ý\x7f\u00ad<ëÞtÊ{,î8ËRdçï\nÚÞ\väfÚ§Å8P‚\a\blÚn\u009dÃ\x1bƒü\u008f°j,¢\x1b\x14JžˆçÀì•\b@\\û¶%¦\u0090z\x03§½¸>\x1d\\Ø\x05\u008fÒBõõ¸pnåˆ\b\bö\x1c—žBÛ&Í×4Í\x0fÝkzZ|€E\x1aô`7\u00a0\x17í\aºT4Ó“³Üßĺ”W\x05®OBì˜8\rëôìb£ÄÜÀoƒ5ã\x1alEÃ(tðôç¬Me\x16ø$" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe

"C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 88.221.135.3:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 3.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 162.255.119.102:80 gahyqah.com tcp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 gadyniw.com udp
US 3.94.10.34:80 lymyxid.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 69.162.80.60:80 lysyfyj.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
HK 154.212.231.82:80 gadyniw.com tcp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 69.162.80.60:80 lysyfyj.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 183.30.21.104.in-addr.arpa udp
US 8.8.8.8:53 102.119.255.162.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 60.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
US 208.100.26.245:80 lyvyxor.com tcp
NL 5.79.71.205:80 gatyfus.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 172.234.222.143:80 vojyqem.com tcp
US 172.234.222.143:80 vojyqem.com tcp
GB 142.250.200.35:80 c.pki.goog tcp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 104.21.30.183:443 qegyhig.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 178.162.203.226:80 gatyfus.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 13.248.252.114:80 puzylyp.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 85.17.31.82:80 gatyfus.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
DE 178.162.203.211:80 gatyfus.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 211.203.162.178.in-addr.arpa udp
US 13.248.252.114:80 puzylyp.com tcp
DE 178.162.203.211:80 gatyfus.com tcp

Files

C:\Windows\apppatch\svchost.exe

MD5 c7456cb4ddd80fe5f80d204786d2812d
SHA1 cbc66180e26e659611e4a6d90e4d10cc9c989d38
SHA256 8159308103cd43816bae5a941241bbbc30bedd34eac2ba7656db5ef43a8adad4
SHA512 dcff730fd6853a3570e42907342288ab9328d7e22001bc095262bd015b98a1f007865bedaa2d64adbf7bbcc91276adbd59675009749739fc8cebc41c56fe1ade

memory/3536-9-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3040-10-0x0000000002730000-0x00000000027D8000-memory.dmp

memory/3040-11-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-15-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/3040-163-0x0000000002B40000-0x0000000002BF6000-memory.dmp