Malware Analysis Report

2025-06-16 00:29

Sample ID 240920-bgvega1arg
Target e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf
SHA256 e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf

Threat Level: Known bad

The file e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

Modifies WinLogon for persistence

simda

Loads dropped DLL

Executes dropped EXE

Modifies WinLogon

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-20 01:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-20 01:07

Reported

2024-09-20 01:10

Platform

win7-20240903-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3c302f94 = "ÀÜ]™ž±çu\u00ad•z&Gi—\x06\aý›\x1f©‡\f³ÜˆûôŠ©ã‡ƒŽ“sâéa“\x16–»2ç©6\u008fò#»\x01N\a‘Ó;\x0e»\x03Ïsή£B6\nó§Cº\x19Ën\x06ú2š\x13ãC›êãO3‘S\x13W£G;Ç\x1ba\x01ÞžÚ‹Æ·.\x02ÃCó>“ÊêNz£‡3“Cƒ+»3£©±)^\x13ÿã÷g\x13*3ƒN\x03ÚŸÆ\x1b\x1aóû[›w¹#[†×\x01\vk‘/Ë\"z7®ëÂû–ŽÇc‡.\x13*Ó3KS\x1b::ú«{º[ﮟ\x1bëÖRk+ûk/©6òGc\x1b³\x0f³I¾ASk£ò3É×k+ó«SVc“Ócq/K';.·f««ZçË^ó†\vw›\x19“¦[Ò#¹Ž»öw" C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3c302f94 = "ÀÜ]™ž±çu\u00ad•z&Gi—\x06\aý›\x1f©‡\f³ÜˆûôŠ©ã‡ƒŽ“sâéa“\x16–»2ç©6\u008fò#»\x01N\a‘Ó;\x0e»\x03Ïsή£B6\nó§Cº\x19Ën\x06ú2š\x13ãC›êãO3‘S\x13W£G;Ç\x1ba\x01ÞžÚ‹Æ·.\x02ÃCó>“ÊêNz£‡3“Cƒ+»3£©±)^\x13ÿã÷g\x13*3ƒN\x03ÚŸÆ\x1b\x1aóû[›w¹#[†×\x01\vk‘/Ë\"z7®ëÂû–ŽÇc‡.\x13*Ó3KS\x1b::ú«{º[ﮟ\x1bëÖRk+ûk/©6òGc\x1b³\x0f³I¾ASk£ò3É×k+ó«SVc“Ócq/K';.·f««ZçË^ó†\vw›\x19“¦[Ò#¹Ž»öw" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe

"C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 95.101.143.219:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 199.191.50.83:80 galyqaz.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
US 13.248.252.114:80 puzylyp.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 69.162.80.60:80 lysyfyj.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
US 104.21.30.183:443 qegyhig.com tcp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
US 104.21.30.183:443 qegyhig.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 99.83.138.213:80 puzylyp.com tcp
NL 5.79.71.225:80 gatyfus.com tcp
US 13.248.252.114:80 puzylyp.com tcp
NL 5.79.71.225:80 gatyfus.com tcp
US 99.83.138.213:80 puzylyp.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
NL 85.17.31.82:80 gatyfus.com tcp
DE 178.162.203.226:80 gatyfus.com tcp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lysyvan.com udp
US 13.248.169.48:80 pupydeq.com tcp
US 104.21.26.151:80 lysyvan.com tcp
US 8.8.8.8:53 pupycag.com udp
US 18.208.156.248:80 pupycag.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 13.248.169.48:80 pupydeq.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 puzyguv.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 galynuh.com udp
US 64.225.91.73:80 galynuh.com tcp
US 15.197.240.20:80 qexyhuv.com tcp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 103.224.182.252:80 vofycot.com tcp
US 8.8.8.8:53 qegyval.com udp
US 44.221.84.105:80 gadyciz.com tcp
US 103.224.212.210:80 lyxynyx.com tcp
US 8.8.8.8:53 ww16.vofycot.com udp
HK 154.85.183.50:80 qegyval.com tcp
DE 64.190.63.136:80 ww16.vofycot.com tcp
US 8.8.8.8:53 ww25.lyxynyx.com udp
US 199.59.243.226:80 ww25.lyxynyx.com tcp

Files

memory/2176-0-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/2176-1-0x0000000000300000-0x0000000000351000-memory.dmp

memory/2176-2-0x0000000000400000-0x000000000045F000-memory.dmp

\Windows\AppPatch\svchost.exe

MD5 86fb254e7e6607fc743989235c384859
SHA1 ac6dc94f01aa642a4acf37b6dc82f12666dd4349
SHA256 654d1c18101f875d5d3893ee668d3f30afce17051ad4ef651f37e28a11e26326
SHA512 b108e31936b965a4486de7a2d40b7bf315e3c7313a6ca5b3016a2a74d683987bbca1b274081cdd543e45ca8065e719e2f44d84c140eb01264645c0034c154a16

memory/2176-17-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2176-16-0x0000000000300000-0x0000000000351000-memory.dmp

memory/2176-15-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/2460-19-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/2460-20-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/2460-21-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/2460-25-0x0000000001E20000-0x0000000001EC8000-memory.dmp

memory/2460-32-0x0000000001E20000-0x0000000001EC8000-memory.dmp

memory/2460-30-0x0000000001E20000-0x0000000001EC8000-memory.dmp

memory/2460-33-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/2460-28-0x0000000001E20000-0x0000000001EC8000-memory.dmp

memory/2460-26-0x0000000001E20000-0x0000000001EC8000-memory.dmp

memory/2460-22-0x0000000001E20000-0x0000000001EC8000-memory.dmp

memory/2460-34-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-38-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-36-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-47-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-52-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-84-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-83-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-82-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-81-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-80-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-79-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-78-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-77-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-76-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-75-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-74-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-73-0x00000000024E0000-0x0000000002596000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E1B1.tmp

MD5 0e1cb5716ef9049405aa208d4cb2da8f
SHA1 ebe0c4d65eb1cf4628b063106280a515c3938bc9
SHA256 aa5231083370fa609de0a7313c15b904c10f8931d1e18a14befe825d01d933e6
SHA512 40d46d4ce5ca7e8341b625816382b110c00c3ce2e8429828a69898023fe139854ec0c7f5eba0cfcda032a4cfcca806199cd8ba5827626023c3692b58cbf19678

memory/2460-72-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-71-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-70-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-69-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-68-0x00000000024E0000-0x0000000002596000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E10F.tmp

MD5 175b9290ab7d27aecd4e285213022aeb
SHA1 e8cb945fd916077d0ce60678b5f26997ebaad452
SHA256 73a23d9d93b9c015410fe6e7f230d3c392a4a8c5632dbd5d7fd8d1ff5848e280
SHA512 f1cad406b12e48d07da2e5f731438898f1027efba045753a26f6ea09a2ed6403633e70914e2ff211c8f6c0403cf5be70434cb93ad0c2b06b4bdedd39a4ca67b8

memory/2460-67-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-66-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-65-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-64-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-63-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-62-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-60-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-59-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-58-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-57-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-56-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-55-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-54-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-53-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-51-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-50-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-49-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-48-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-46-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-45-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-43-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-42-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-41-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-61-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-44-0x00000000024E0000-0x0000000002596000-memory.dmp

memory/2460-40-0x00000000024E0000-0x0000000002596000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-20 01:07

Reported

2024-09-20 01:09

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\6cf32fee = "@X¬1Büš;yß÷ûƒâóÏW•\x16\x02\x03µESWO\x7f\x1a\x16ækÞîú\b\x03”«¬\x06´Û\\2{\x12s’»bK»ˆ¢Ö˃¢k~æ.KšÞzhò³ÚVPîè,š\x12J\x1bÓJ~Ì\f`J›ö6\x14ØË˜hºKÖ\bî’‹ó¶“\u0090³Ô¦R\x1b@êCŽ\nŒÛ¢>$J¦óÄjÆúæZ¾\x03ŠÂšzÚhæ[»\x12p\fr3r»¾S“¸Fòäë“4[$¼6¶\fÆK\v6@\x06\b³4Ns\vˆ \x1cfBjÄÊ\\£¦î~>v\u0090.\n#Óã\x13’³ÓrŠ,’ò\u0090Þ²²*³Ó£ëœÖ²›fþè\x04ÃÆóúæ0¢ƒîì\x03~ž\n\bv\b{úÔŠ\x10\x12¤\x1bËÓœhHâÓL\f\n:Öä" C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\6cf32fee = "@X¬1Büš;yß÷ûƒâóÏW•\x16\x02\x03µESWO\x7f\x1a\x16ækÞîú\b\x03”«¬\x06´Û\\2{\x12s’»bK»ˆ¢Ö˃¢k~æ.KšÞzhò³ÚVPîè,š\x12J\x1bÓJ~Ì\f`J›ö6\x14ØË˜hºKÖ\bî’‹ó¶“\u0090³Ô¦R\x1b@êCŽ\nŒÛ¢>$J¦óÄjÆúæZ¾\x03ŠÂšzÚhæ[»\x12p\fr3r»¾S“¸Fòäë“4[$¼6¶\fÆK\v6@\x06\b³4Ns\vˆ \x1cfBjÄÊ\\£¦î~>v\u0090.\n#Óã\x13’³ÓrŠ,’ò\u0090Þ²²*³Ó£ëœÖ²›fþè\x04ÃÆóúæ0¢ƒîì\x03~ž\n\bv\b{úÔŠ\x10\x12¤\x1bËÓœhHâÓL\f\n:Öä" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe

"C:\Users\Admin\AppData\Local\Temp\e06d50ec3f6776e2c20ae71001e0eeeb13edbd50dbdebf7515116be0f0083ecf.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
GB 95.101.143.201:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 vonypom.com udp
US 13.248.252.114:80 puzylyp.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 162.255.119.102:80 gahyqah.com tcp
US 172.67.173.131:80 qegyhig.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 172.234.222.138:80 vojyqem.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 69.162.80.60:80 lysyfyj.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
US 172.67.173.131:443 qegyhig.com tcp
US 172.234.222.138:80 vojyqem.com tcp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.35:80 c.pki.goog tcp
US 8.8.8.8:53 201.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 131.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 122.31.17.85.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 102.119.255.162.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 138.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 60.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 172.67.173.131:443 qegyhig.com tcp
US 99.83.138.213:80 puzylyp.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 13.248.252.114:80 puzylyp.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 99.83.138.213:80 puzylyp.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lyrysor.com udp
US 13.248.169.48:80 pupydeq.com tcp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 pupycag.com udp
US 104.21.26.151:80 lysyvan.com tcp
US 18.208.156.248:80 pupycag.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 8.8.8.8:53 151.26.21.104.in-addr.arpa udp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 104.21.26.151:443 lysyvan.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 13.248.169.48:80 pupydeq.com tcp
CN 103.150.10.58:80 lyrysor.com tcp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 puzyguv.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 galynuh.com udp
US 64.225.91.73:80 galynuh.com tcp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 103.224.212.210:80 lyxynyx.com tcp
US 44.221.84.105:80 gadyciz.com tcp
US 103.224.182.252:80 vofycot.com tcp
HK 154.85.183.50:80 qegyval.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 15.197.240.20:80 qexyhuv.com tcp
US 8.8.8.8:53 20.240.197.15.in-addr.arpa udp
US 8.8.8.8:53 50.183.85.154.in-addr.arpa udp
US 15.197.240.20:80 qexyhuv.com tcp
US 8.8.8.8:53 ww25.lyxynyx.com udp
US 199.59.243.226:80 ww25.lyxynyx.com tcp
US 8.8.8.8:53 ww16.vofycot.com udp
DE 64.190.63.136:80 ww16.vofycot.com tcp
US 8.8.8.8:53 252.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 210.212.224.103.in-addr.arpa udp
US 8.8.8.8:53 226.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 136.63.190.64.in-addr.arpa udp

Files

memory/4672-0-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/4672-1-0x0000000000890000-0x00000000008E1000-memory.dmp

memory/4672-2-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Windows\apppatch\svchost.exe

MD5 502cdc3f69abef7cb7de10f2a1ad99a6
SHA1 cb404f07f2de1c5bdb7dc5fe7c550a4777f289d5
SHA256 d241affdaa299b6a5620c116a69f2d85a613015f8ee5fb90c66c185560cfddd0
SHA512 ae281649d928cba49790ea167033ac99810c8b276299ceb2399aea01cbe9887975a48b384e10022a3cefafa344bce8fe906a359723801e337d9416a04d403c69

memory/4672-13-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/4672-15-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2120-16-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/4672-14-0x0000000000890000-0x00000000008E1000-memory.dmp

memory/2120-12-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/2120-17-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/2120-18-0x0000000002B10000-0x0000000002BB8000-memory.dmp

memory/2120-19-0x0000000000400000-0x00000000005BA000-memory.dmp

memory/2120-20-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-24-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-22-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-40-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-41-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-80-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-78-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-77-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-75-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-74-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-72-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-71-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-69-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-68-0x0000000002D00000-0x0000000002DB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9CB9.tmp

MD5 88b694ce4f2e204426940bf08ced2f98
SHA1 2af1502295a3530bbb51c284dd7c9a7f0fd454d6
SHA256 27754bddfe21c43c9b71f2e1d802f8dd4e5a2ee528ac911d5a676ea5238db6c9
SHA512 373c0fc165f0b6e4af57c5fc92081d66be686c330628b7e61036f899aac0649039cb63040367fbae9e480a9535485a473abbdbfad168ab25d6ae4c75d7433b58

memory/2120-66-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-65-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-63-0x0000000002D00000-0x0000000002DB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9AC9.tmp

MD5 72582c921cad2c9516d29ce1859bfd59
SHA1 044cb788956b05806df9b6caf750b6f2f4ee2e7a
SHA256 dc39f49f13b75465ea09928316d7919c7ca3f83ae28b2e27456952aec61fc08f
SHA512 862c19559b31fdd8c2585793a880f48cb47a03061778760bf2bc703c38f84070df157286677ff6856623eb946e0c92abda4a57748418714586bb19021ff6b1f1

memory/2120-62-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-60-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-59-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-57-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-56-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-54-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-53-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-52-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-50-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-47-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-45-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-44-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-42-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-39-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-38-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-36-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-35-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-33-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-31-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-30-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-28-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-27-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-76-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-73-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-70-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-67-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-64-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-61-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-58-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-55-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-51-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-49-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-48-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-46-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-43-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-37-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-34-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-32-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-29-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-26-0x0000000002D00000-0x0000000002DB6000-memory.dmp

memory/2120-25-0x0000000002D00000-0x0000000002DB6000-memory.dmp