Analysis Overview
SHA256
8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697
Threat Level: Known bad
The file 8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N was found to be: Known bad.
Malicious Activity Summary
simda
Simda family
Modifies WinLogon for persistence
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-19 17:54
Signatures
Simda family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-19 17:54
Reported
2024-09-19 17:56
Platform
win7-20240903-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b7504011 = "Nš™€6`)\b@î·3(.µ™\x11Ëu2„1¦çšÑ\u008f5{(ú=*\x1f\x17¾³oÿ\x06ïÀ\x17¾\x12_÷\x06\x7fç\x06çØ•gÞ\x18ßm•ºµ\x16#ÆËç\x15Ož(vB\x1aV\x17\x06Õ" | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b7504011 = "Nš™€6`)\b@î·3(.µ™\x11Ëu2„1¦çšÑ\u008f5{(ú=*\x1f\x17¾³oÿ\x06ïÀ\x17¾\x12_÷\x06\x7fç\x06çØ•gÞ\x18ßm•ºµ\x16#ÆËç\x15Ož(vB\x1aV\x17\x06Õ" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2544 wrote to memory of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2544 wrote to memory of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2544 wrote to memory of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2544 wrote to memory of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe
"C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 88.221.135.1:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 8.8.8.8:53 | ww5.galyqaz.com | udp |
| US | 76.223.26.96:80 | ww5.galyqaz.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
Files
\Windows\AppPatch\svchost.exe
| MD5 | fb4c0e154913217f3471bda1cac3f8e0 |
| SHA1 | 3b82a4ca82fc322a10b8f2292ea41d55f93b776d |
| SHA256 | 0b41ba37c57a446748a836655641a5ef27bef8a373b7ed8cf3ca9c8786fdb945 |
| SHA512 | 7c03aeb10292ee82e260f288c9015a3b9c82b61ef5b758ad262b8f9b6a0994c60e9eb8cab180c55985d378d65a6fec400727ff24818ca00ae55126de0f5ec21f |
memory/2544-13-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2652-14-0x00000000021A0000-0x0000000002248000-memory.dmp
memory/2652-24-0x00000000021A0000-0x0000000002248000-memory.dmp
memory/2652-22-0x00000000021A0000-0x0000000002248000-memory.dmp
memory/2652-20-0x00000000021A0000-0x0000000002248000-memory.dmp
memory/2652-18-0x00000000021A0000-0x0000000002248000-memory.dmp
memory/2652-16-0x00000000021A0000-0x0000000002248000-memory.dmp
memory/2652-30-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-29-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-27-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-38-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-46-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-61-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-65-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-64-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-63-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-62-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-60-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-59-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-58-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-57-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-56-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-55-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-54-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-53-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-52-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-51-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-50-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-49-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-48-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-47-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-45-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-44-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-43-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-42-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-41-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-40-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-39-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-32-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-37-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-36-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-35-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-34-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-33-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-67-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-78-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-77-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-76-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-75-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-74-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-73-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-72-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-71-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-70-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-68-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-66-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-69-0x0000000002350000-0x0000000002406000-memory.dmp
memory/2652-150-0x0000000002350000-0x0000000002406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ED74.tmp
| MD5 | 8b02ce7de4d1479204d79e239784fa3d |
| SHA1 | 8874ff25d4f856972784644b97aed636f1450147 |
| SHA256 | a4236c08ae6e1801a7ef32ff6ba1f0a64175ce6e751e9ab169fcef58b71ccb7d |
| SHA512 | 2236b337d3955f78d1b4bb61bfc177d62a980db49134e3e23d6881152e8e410c785930a8631036e58f88206d35f5726de29d40117e307670dff3dba17eb85f7b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-19 17:54
Reported
2024-09-19 17:56
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\c67ad503 = "\x192_\x19Çxˆç—œóM„xä$X¾W\x1f\u00a0Dfº§ã\fËx˜µs\x10h–\x16\x10ž\u009d°5÷\x0eº¸Žïx´\aÅó3cØÝ_mk–·\x03è2\x0e\u0090Dà\u00a0hÆ@Ý\x7f\u00ad<ëÞtÊ{,î8ËRdçï\nÚÞ\väfÚ§Å8P‚\a\blÚn\u009dÃ\x1bƒü\u008f°j,¢\x1b\x14JžˆçÀì•\b@\\û¶%¦\u0090z\x03§½¸>\x1d\\Ø\x05\u008fÒBõõ¸pnåˆ\b\bö\x1c—žBÛ&Í×4Í\x0fÝkzZ|€E\x1aô`7\u00a0\x17í\aºT4Ó“³Üßĺ”W\x05®OBì˜8\rëôìb£ÄÜÀoƒ5ã\x1alEÃ(tðôç¬Me\x16ø$" | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\c67ad503 = "\x192_\x19Çxˆç—œóM„xä$X¾W\x1f\u00a0Dfº§ã\fËx˜µs\x10h–\x16\x10ž\u009d°5÷\x0eº¸Žïx´\aÅó3cØÝ_mk–·\x03è2\x0e\u0090Dà\u00a0hÆ@Ý\x7f\u00ad<ëÞtÊ{,î8ËRdçï\nÚÞ\väfÚ§Å8P‚\a\blÚn\u009dÃ\x1bƒü\u008f°j,¢\x1b\x14JžˆçÀì•\b@\\û¶%¦\u0090z\x03§½¸>\x1d\\Ø\x05\u008fÒBõõ¸pnåˆ\b\bö\x1c—žBÛ&Í×4Í\x0fÝkzZ|€E\x1aô`7\u00a0\x17í\aºT4Ó“³Üßĺ”W\x05®OBì˜8\rëôìb£ÄÜÀoƒ5ã\x1alEÃ(tðôç¬Me\x16ø$" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3536 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | C:\Windows\apppatch\svchost.exe |
| PID 3536 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | C:\Windows\apppatch\svchost.exe |
| PID 3536 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe
"C:\Users\Admin\AppData\Local\Temp\8304ea0c122589dc46c6a2ba03eaf62940aa0c1ac9739839a9ebaa43727f2697N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| GB | 88.221.135.3:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.119.255.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.240.195.91.in-addr.arpa | udp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 143.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.203.162.178.in-addr.arpa | udp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
Files
C:\Windows\apppatch\svchost.exe
| MD5 | c7456cb4ddd80fe5f80d204786d2812d |
| SHA1 | cbc66180e26e659611e4a6d90e4d10cc9c989d38 |
| SHA256 | 8159308103cd43816bae5a941241bbbc30bedd34eac2ba7656db5ef43a8adad4 |
| SHA512 | dcff730fd6853a3570e42907342288ab9328d7e22001bc095262bd015b98a1f007865bedaa2d64adbf7bbcc91276adbd59675009749739fc8cebc41c56fe1ade |
memory/3536-9-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3040-10-0x0000000002730000-0x00000000027D8000-memory.dmp
memory/3040-11-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-15-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/3040-163-0x0000000002B40000-0x0000000002BF6000-memory.dmp