Analysis Overview
SHA256
e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf
Threat Level: Known bad
The file e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
simda
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-20 01:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-20 01:07
Reported
2024-09-20 01:10
Platform
win7-20240903-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3c302f94 = "ÀÜ]™ž±çu\u00ad•z&Gi—\x06\aý›\x1f©‡\f³ÜˆûôŠ©ã‡ƒŽ“sâéa“\x16–»2ç©6\u008fò#»\x01N\a‘Ó;\x0e»\x03Ïsή£B6\nó§Cº\x19Ën\x06ú2š\x13ãC›êãO3‘S\x13W£G;Ç\x1ba\x01ÞžÚ‹Æ·.\x02ÃCó>“ÊêNz£‡3“Cƒ+»3£©±)^\x13ÿã÷g\x13*3ƒN\x03ÚŸÆ\x1b\x1aóû[›w¹#[†×\x01\vk‘/Ë\"z7®ëÂû–ŽÇc‡.\x13*Ó3KS\x1b::ú«{º[ﮟ\x1bëÖRk+ûk/©6òGc\x1b³\x0f³I¾ASk£ò3É×k+ó«SVc“Ócq/K';.·f««ZçË^ó†\vw›\x19“¦[Ò#¹Ž»öw" | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3c302f94 = "ÀÜ]™ž±çu\u00ad•z&Gi—\x06\aý›\x1f©‡\f³ÜˆûôŠ©ã‡ƒŽ“sâéa“\x16–»2ç©6\u008fò#»\x01N\a‘Ó;\x0e»\x03Ïsή£B6\nó§Cº\x19Ën\x06ú2š\x13ãC›êãO3‘S\x13W£G;Ç\x1ba\x01ÞžÚ‹Æ·.\x02ÃCó>“ÊêNz£‡3“Cƒ+»3£©±)^\x13ÿã÷g\x13*3ƒN\x03ÚŸÆ\x1b\x1aóû[›w¹#[†×\x01\vk‘/Ë\"z7®ëÂû–ŽÇc‡.\x13*Ó3KS\x1b::ú«{º[ﮟ\x1bëÖRk+ûk/©6òGc\x1b³\x0f³I¾ASk£ò3É×k+ó«SVc“Ócq/K';.·f««ZçË^ó†\vw›\x19“¦[Ò#¹Ž»öw" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2176 wrote to memory of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | C:\Windows\apppatch\svchost.exe |
| PID 2176 wrote to memory of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | C:\Windows\apppatch\svchost.exe |
| PID 2176 wrote to memory of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | C:\Windows\apppatch\svchost.exe |
| PID 2176 wrote to memory of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe
"C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 95.101.143.219:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
| US | 8.8.8.8:53 | ww25.lyxynyx.com | udp |
| US | 199.59.243.226:80 | ww25.lyxynyx.com | tcp |
Files
memory/2176-0-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/2176-1-0x0000000000300000-0x0000000000351000-memory.dmp
memory/2176-2-0x0000000000400000-0x000000000045F000-memory.dmp
\Windows\AppPatch\svchost.exe
| MD5 | 86fb254e7e6607fc743989235c384859 |
| SHA1 | ac6dc94f01aa642a4acf37b6dc82f12666dd4349 |
| SHA256 | 654d1c18101f875d5d3893ee668d3f30afce17051ad4ef651f37e28a11e26326 |
| SHA512 | b108e31936b965a4486de7a2d40b7bf315e3c7313a6ca5b3016a2a74d683987bbca1b274081cdd543e45ca8065e719e2f44d84c140eb01264645c0034c154a16 |
memory/2176-17-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2176-16-0x0000000000300000-0x0000000000351000-memory.dmp
memory/2176-15-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/2460-19-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/2460-20-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/2460-21-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/2460-25-0x0000000001E20000-0x0000000001EC8000-memory.dmp
memory/2460-32-0x0000000001E20000-0x0000000001EC8000-memory.dmp
memory/2460-30-0x0000000001E20000-0x0000000001EC8000-memory.dmp
memory/2460-33-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/2460-28-0x0000000001E20000-0x0000000001EC8000-memory.dmp
memory/2460-26-0x0000000001E20000-0x0000000001EC8000-memory.dmp
memory/2460-22-0x0000000001E20000-0x0000000001EC8000-memory.dmp
memory/2460-34-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-38-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-36-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-47-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-52-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-84-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-83-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-82-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-81-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-80-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-79-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-78-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-77-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-76-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-75-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-74-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-73-0x00000000024E0000-0x0000000002596000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E1B1.tmp
| MD5 | 0e1cb5716ef9049405aa208d4cb2da8f |
| SHA1 | ebe0c4d65eb1cf4628b063106280a515c3938bc9 |
| SHA256 | aa5231083370fa609de0a7313c15b904c10f8931d1e18a14befe825d01d933e6 |
| SHA512 | 40d46d4ce5ca7e8341b625816382b110c00c3ce2e8429828a69898023fe139854ec0c7f5eba0cfcda032a4cfcca806199cd8ba5827626023c3692b58cbf19678 |
memory/2460-72-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-71-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-70-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-69-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-68-0x00000000024E0000-0x0000000002596000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E10F.tmp
| MD5 | 175b9290ab7d27aecd4e285213022aeb |
| SHA1 | e8cb945fd916077d0ce60678b5f26997ebaad452 |
| SHA256 | 73a23d9d93b9c015410fe6e7f230d3c392a4a8c5632dbd5d7fd8d1ff5848e280 |
| SHA512 | f1cad406b12e48d07da2e5f731438898f1027efba045753a26f6ea09a2ed6403633e70914e2ff211c8f6c0403cf5be70434cb93ad0c2b06b4bdedd39a4ca67b8 |
memory/2460-67-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-66-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-65-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-64-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-63-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-62-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-60-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-59-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-58-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-57-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-56-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-55-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-54-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-53-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-51-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-50-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-49-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-48-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-46-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-45-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-43-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-42-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-41-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-61-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-44-0x00000000024E0000-0x0000000002596000-memory.dmp
memory/2460-40-0x00000000024E0000-0x0000000002596000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-20 01:07
Reported
2024-09-20 01:09
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\6cf32fee = "@X¬1Büš;yß÷ûƒâóÏW•\x16\x02\x03µESWO\x7f\x1a\x16ækÞîú\b\x03”«¬\x06´Û\\2{\x12s’»bK»ˆ¢Ö˃¢k~æ.KšÞzhò³ÚVPîè,š\x12J\x1bÓJ~Ì\f`J›ö6\x14ØË˜hºKÖ\bî’‹ó¶“\u0090³Ô¦R\x1b@êCŽ\nŒÛ¢>$J¦óÄjÆúæZ¾\x03ŠÂšzÚhæ[»\x12p\fr3r»¾S“¸Fòäë“4[$¼6¶\fÆK\v6@\x06\b³4Ns\vˆ \x1cfBjÄÊ\\£¦î~>v\u0090.\n#Óã\x13’³ÓrŠ,’ò\u0090Þ²²*³Ó£ëœÖ²›fþè\x04ÃÆóúæ0¢ƒîì\x03~ž\n\bv\b{úÔŠ\x10\x12¤\x1bËÓœhHâÓL\f\n:Öä" | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\6cf32fee = "@X¬1Büš;yß÷ûƒâóÏW•\x16\x02\x03µESWO\x7f\x1a\x16ækÞîú\b\x03”«¬\x06´Û\\2{\x12s’»bK»ˆ¢Ö˃¢k~æ.KšÞzhò³ÚVPîè,š\x12J\x1bÓJ~Ì\f`J›ö6\x14ØË˜hºKÖ\bî’‹ó¶“\u0090³Ô¦R\x1b@êCŽ\nŒÛ¢>$J¦óÄjÆúæZ¾\x03ŠÂšzÚhæ[»\x12p\fr3r»¾S“¸Fòäë“4[$¼6¶\fÆK\v6@\x06\b³4Ns\vˆ \x1cfBjÄÊ\\£¦î~>v\u0090.\n#Óã\x13’³ÓrŠ,’ò\u0090Þ²²*³Ó£ëœÖ²›fþè\x04ÃÆóúæ0¢ƒîì\x03~ž\n\bv\b{úÔŠ\x10\x12¤\x1bËÓœhHâÓL\f\n:Öä" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4672 wrote to memory of 2120 | N/A | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | C:\Windows\apppatch\svchost.exe |
| PID 4672 wrote to memory of 2120 | N/A | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | C:\Windows\apppatch\svchost.exe |
| PID 4672 wrote to memory of 2120 | N/A | C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe
"C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| GB | 95.101.143.201:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 201.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.31.17.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.119.255.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.240.195.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 13.248.252.114:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 99.83.138.213:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 151.26.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| CN | 103.150.10.58:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
| US | 8.8.8.8:53 | 20.240.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.183.85.154.in-addr.arpa | udp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
| US | 8.8.8.8:53 | ww25.lyxynyx.com | udp |
| US | 199.59.243.226:80 | ww25.lyxynyx.com | tcp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
| US | 8.8.8.8:53 | 252.182.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.212.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.63.190.64.in-addr.arpa | udp |
Files
memory/4672-0-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/4672-1-0x0000000000890000-0x00000000008E1000-memory.dmp
memory/4672-2-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | 502cdc3f69abef7cb7de10f2a1ad99a6 |
| SHA1 | cb404f07f2de1c5bdb7dc5fe7c550a4777f289d5 |
| SHA256 | d241affdaa299b6a5620c116a69f2d85a613015f8ee5fb90c66c185560cfddd0 |
| SHA512 | ae281649d928cba49790ea167033ac99810c8b276299ceb2399aea01cbe9887975a48b384e10022a3cefafa344bce8fe906a359723801e337d9416a04d403c69 |
memory/4672-13-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/4672-15-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2120-16-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/4672-14-0x0000000000890000-0x00000000008E1000-memory.dmp
memory/2120-12-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/2120-17-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/2120-18-0x0000000002B10000-0x0000000002BB8000-memory.dmp
memory/2120-19-0x0000000000400000-0x00000000005BA000-memory.dmp
memory/2120-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-80-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-78-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-75-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-74-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-72-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-71-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-69-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-68-0x0000000002D00000-0x0000000002DB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9CB9.tmp
| MD5 | 88b694ce4f2e204426940bf08ced2f98 |
| SHA1 | 2af1502295a3530bbb51c284dd7c9a7f0fd454d6 |
| SHA256 | 27754bddfe21c43c9b71f2e1d802f8dd4e5a2ee528ac911d5a676ea5238db6c9 |
| SHA512 | 373c0fc165f0b6e4af57c5fc92081d66be686c330628b7e61036f899aac0649039cb63040367fbae9e480a9535485a473abbdbfad168ab25d6ae4c75d7433b58 |
memory/2120-66-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-65-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-63-0x0000000002D00000-0x0000000002DB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9AC9.tmp
| MD5 | 72582c921cad2c9516d29ce1859bfd59 |
| SHA1 | 044cb788956b05806df9b6caf750b6f2f4ee2e7a |
| SHA256 | dc39f49f13b75465ea09928316d7919c7ca3f83ae28b2e27456952aec61fc08f |
| SHA512 | 862c19559b31fdd8c2585793a880f48cb47a03061778760bf2bc703c38f84070df157286677ff6856623eb946e0c92abda4a57748418714586bb19021ff6b1f1 |
memory/2120-62-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-60-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-59-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-57-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-56-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-73-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-70-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-67-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-64-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-61-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-58-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp
memory/2120-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp