Malware Analysis Report

2024-12-07 15:01

Sample ID 241029-lk12jatgpk
Target 169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N
SHA256 169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50

Threat Level: Known bad

The file 169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

Simda family

Modifies WinLogon for persistence

simda

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 09:36

Signatures

Simda family

simda

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 09:36

Reported

2024-10-29 09:38

Platform

win7-20240903-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\112cde52 = "CŠ<\x17IŸ_\x17æšlè@X¸!•âYýCö+p?K\x14'\x05Ó=P¸áI\tÉÁahYq" C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\112cde52 = "CŠ<\x17IŸ_\x17æšlè@X¸!•âYýCö+p?K\x14'\x05Ó=P¸áI\tÉÁahYq" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe

"C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 2.18.27.89:80 www.bing.com tcp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vojyqem.com udp
US 44.221.84.105:80 qetyfuv.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 172.234.222.143:80 vojyqem.com tcp
NL 85.17.31.82:80 gatyfus.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 199.191.50.83:80 galyqaz.com tcp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qegyhig.com udp
US 3.94.10.34:80 lymyxid.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 69.162.80.62:80 lysyfyj.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 gadyniw.com udp
HK 154.212.231.82:80 gadyniw.com tcp
US 69.162.80.62:80 lysyfyj.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
DE 178.162.203.211:80 gatyfus.com tcp
US 104.21.30.183:443 qegyhig.com tcp
DE 178.162.203.226:80 gatyfus.com tcp
NL 5.79.71.225:80 gatyfus.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.73:80 crl.microsoft.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
NL 85.17.31.122:80 gatyfus.com tcp
NL 5.79.71.205:80 gatyfus.com tcp
NL 85.17.31.82:80 gatyfus.com tcp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 pupycag.com udp
US 172.67.136.136:80 lysyvan.com tcp
US 76.223.54.146:80 pupydeq.com tcp
US 8.8.8.8:53 lyrysor.com udp
CN 112.29.210.31:80 lyrysor.com tcp
US 8.8.8.8:53 lygynud.com udp
US 18.208.156.248:80 pupycag.com tcp
US 35.225.36.88:80 lygynud.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 76.223.54.146:80 pupydeq.com tcp
US 172.67.136.136:443 lysyvan.com tcp
CN 112.29.210.31:80 lyrysor.com tcp

Files

C:\Windows\AppPatch\svchost.exe

MD5 cb0632566e8eedf23059957948728ad7
SHA1 8f21ee652ff021df389ef17d5c531d018a22ee30
SHA256 c2a91e339c41189f6cdde5858f6ff130e08df4276f84ef8d79be51d04d4c03c8
SHA512 a2e08c18bafb7e94724572b86837c597380f6f78b8bb2478fe051e2b4a61468b0d8a635f95196e895215403738ea384bf7e5bbc49915e766afca6f536ac62fae

memory/2688-13-0x0000000000400000-0x000000000046B000-memory.dmp

memory/2648-18-0x00000000021E0000-0x0000000002288000-memory.dmp

memory/2648-24-0x00000000021E0000-0x0000000002288000-memory.dmp

memory/2648-23-0x00000000021E0000-0x0000000002288000-memory.dmp

memory/2648-16-0x00000000021E0000-0x0000000002288000-memory.dmp

memory/2648-20-0x00000000021E0000-0x0000000002288000-memory.dmp

memory/2648-14-0x00000000021E0000-0x0000000002288000-memory.dmp

memory/2648-25-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-28-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-30-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-32-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-33-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-37-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-44-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-53-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-59-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-58-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-57-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-56-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-55-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-54-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-52-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-51-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-50-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-49-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-48-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-47-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-46-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-45-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-43-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-67-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-42-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-41-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-40-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-39-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-38-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-71-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-80-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-81-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-84-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-83-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-82-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-79-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-78-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-77-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-76-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-75-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-74-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-73-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-72-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-36-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-35-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-34-0x0000000002390000-0x0000000002446000-memory.dmp

memory/2648-192-0x0000000002390000-0x0000000002446000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-29 09:36

Reported

2024-10-29 09:38

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\59a4e30e = "5I×\nßkn\x10É\fUyOÈy¯´åþ–ê\x11–±\x04íRPLÖ0•¢€eŠAú©rvGú×\x1dO\x1e²@¦\u009d“ˆßýa;ØUÐh‹\x1bî¾Éþ\x18b!. ޝ¾\rî«\x10>¶Ÿ8°v¨ÙW:\x1e·6ñhÍŽX:þ~\u0081ÙÉ%¡Qʪ\x19îMצ°\x05šQh\x01r& ÓxÙ‡Öyæ~€½%ù\x1b\x132\":Æ=–¹J" C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\59a4e30e = "5I×\nßkn\x10É\fUyOÈy¯´åþ–ê\x11–±\x04íRPLÖ0•¢€eŠAú©rvGú×\x1dO\x1e²@¦\u009d“ˆßýa;ØUÐh‹\x1bî¾Éþ\x18b!. ޝ¾\rî«\x10>¶Ÿ8°v¨ÙW:\x1e·6ñhÍŽX:þ~\u0081ÙÉ%¡Qʪ\x19îMצ°\x05šQh\x01r& ÓxÙ‡Öyæ~€½%ù\x1b\x132\":Æ=–¹J" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe

"C:\Users\Admin\AppData\Local\Temp\169e61287e7c38cd2f039125d2e9b1d8af8d71d2444d5819c3c28f9702c7fa50N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 2.18.27.89:80 www.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 89.27.18.2.in-addr.arpa udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vojyqem.com udp
US 208.100.26.245:80 lyvyxor.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonypom.com udp
US 99.83.170.3:80 puzylyp.com tcp
US 44.221.84.105:80 vocyzit.com tcp
NL 5.79.71.205:80 gatyfus.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 69.162.80.62:80 lysyfyj.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
US 99.83.170.3:443 puzylyp.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 104.21.30.183:443 qegyhig.com tcp
DE 91.195.240.19:80 www.gahyqah.com tcp
US 69.162.80.62:80 lysyfyj.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 3.170.83.99.in-addr.arpa udp
US 8.8.8.8:53 183.30.21.104.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 102.119.255.162.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 62.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 205.71.79.5.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
NL 5.79.71.205:80 gatyfus.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 lysyvan.com udp
US 13.248.169.48:80 pupydeq.com tcp
US 8.8.8.8:53 pupycag.com udp
US 104.21.26.151:80 lysyvan.com tcp
US 35.225.36.88:80 lygynud.com tcp
CN 112.29.210.31:80 lyrysor.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 8.8.8.8:53 151.26.21.104.in-addr.arpa udp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 8.8.8.8:53 88.36.225.35.in-addr.arpa udp
US 104.21.26.151:443 lysyvan.com tcp
US 13.248.169.48:80 pupydeq.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
CN 112.29.210.31:80 lyrysor.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 puzyguv.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 15.197.240.20:80 qexyhuv.com tcp
US 64.225.91.73:80 galynuh.com tcp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 qegyval.com udp
US 103.224.212.210:80 lyxynyx.com tcp
HK 154.85.183.50:80 qegyval.com tcp
US 44.221.84.105:80 gadyciz.com tcp
US 103.224.182.252:80 vofycot.com tcp
US 8.8.8.8:53 ww25.lyxynyx.com udp
US 199.59.243.227:80 ww25.lyxynyx.com tcp
US 8.8.8.8:53 ww16.vofycot.com udp
US 8.8.8.8:53 20.240.197.15.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 210.212.224.103.in-addr.arpa udp
US 8.8.8.8:53 252.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
DE 64.190.63.136:80 ww16.vofycot.com tcp
US 8.8.8.8:53 136.63.190.64.in-addr.arpa udp
US 8.8.8.8:53 50.183.85.154.in-addr.arpa udp

Files

C:\Windows\apppatch\svchost.exe

MD5 fd7be6a45b47234f1d1cffd6e692096d
SHA1 fe8d0f92a8dcaedc9c5398947444cb7888affdff
SHA256 f95b36dc0d2326bff7fad8e99053b33c11d55bbd7093e20bbc31138a541ba3d3
SHA512 936b2c5d235e0eaebd31520bbb200b7d7e22bbada34f8660fbac0eb577aa950083a0f5528799c3984bc7b14578257c6843ae3fea05a23d2aa95be07f28350501

memory/880-9-0x0000000000400000-0x000000000046B000-memory.dmp

memory/456-10-0x0000000002730000-0x00000000027D8000-memory.dmp

memory/456-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-14-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-73-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/456-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AB24.tmp

MD5 ec34e04da917f96f181c04954156b635
SHA1 c5702190cc245eeff2501898bf659c1a354bf111
SHA256 3f2e5df8c31a2ca77d844a02e57f2e259aa50959de0648605da54e2e2782491d
SHA512 ffed46436c76a055cf06128f9f9aeb7c603fd38334a876919e07ac13e8df465ed12f478c3199d82775cbc2ff160bc194b0fac6c0b312f5bdbdf39a04afcffb6e

C:\Users\Admin\AppData\Local\Temp\AC76.tmp

MD5 68e3495b019cf6ac6774436c63d8c3f9
SHA1 179181203a32f6ca23c8795426c7b5714e51eefd
SHA256 744d2973469fc8d6a62c8f4483607ea47dbaadec64938ec0ce0f006a011dea77
SHA512 7afa359de22ddbeaa3656965cc17b913fc11027d37126a1693d5adca02b96af0cab182291b386a48b62aa6950fec37eecac0f1464546b85b31a2c2c92fdee6aa

memory/456-177-0x0000000002B40000-0x0000000002BF6000-memory.dmp