Malware Analysis Report

2024-12-07 15:03

Sample ID 241029-nahtbawkfp
Target b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN
SHA256 b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767f
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767f

Threat Level: Known bad

The file b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

Modifies WinLogon for persistence

Simda family

simda

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 11:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 11:11

Reported

2024-10-29 11:13

Platform

win7-20240729-en

Max time kernel

116s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\c1a1e4c9 = "ñ\vN’Ï3Œ\n§\x165\u0090«‰ááÞ*³\u008dÓ]=¸R®%ï?F¯¨Ý\u009dª;\r› u#‘ú•Æå(ÂÃC³\x19H3î•\x01\x05à3ÝÖæPm\x1ajÝþ&É’¢Úiš0âq(\x05ÁéâÓÛñØÛ\x11Yé\x1b-ÉÃõMZV>Eé»S±1\x19AÝyù\b\u009dk\x1bȈE1sñq\x1b\x19\x03\x11;¹\x03\x1bù’¥’©õ¡¹)“\x1b«{\x03\x18…\x02cùc!u*ð©¹\u009d\x01\x19áV>v^f^1Kv\x16ÁnË;û\x052«úY\x01k1cª;Qsy\u00ad\x13.\x031AIŠ#\x03‘Šº3ðöª\u009d黨½[q!\x11{ÑH)ys\v{>ñþž\x15sÙ‘³\u00adcKÐC“H3¡\u008dë‘Ò‰øí)ûs\x19\u00ad\v\x03ûV‘" C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\c1a1e4c9 = "ñ\vN’Ï3Œ\n§\x165\u0090«‰ááÞ*³\u008dÓ]=¸R®%ï?F¯¨Ý\u009dª;\r› u#‘ú•Æå(ÂÃC³\x19H3î•\x01\x05à3ÝÖæPm\x1ajÝþ&É’¢Úiš0âq(\x05ÁéâÓÛñØÛ\x11Yé\x1b-ÉÃõMZV>Eé»S±1\x19AÝyù\b\u009dk\x1bȈE1sñq\x1b\x19\x03\x11;¹\x03\x1bù’¥’©õ¡¹)“\x1b«{\x03\x18…\x02cùc!u*ð©¹\u009d\x01\x19áV>v^f^1Kv\x16ÁnË;û\x052«úY\x01k1cª;Qsy\u00ad\x13.\x031AIŠ#\x03‘Šº3ðöª\u009d黨½[q!\x11{ÑH)ys\v{>ñþž\x15sÙ‘³\u00adcKÐC“H3¡\u008dë‘Ò‰øí)ûs\x19\u00ad\v\x03ûV‘" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe

"C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
GB 2.18.27.76:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 gatyfus.com udp
US 75.2.71.199:80 puzylyp.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 69.162.80.62:80 lysyfyj.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 172.234.222.143:80 vojyqem.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 8.8.8.8:53 vocyzit.com udp
US 104.21.30.183:443 qegyhig.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 69.162.80.62:80 lysyfyj.com tcp
US 104.21.30.183:443 qegyhig.com tcp
NL 5.79.71.225:80 gatyfus.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 184.25.193.234:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.73:80 crl.microsoft.com tcp
NL 5.79.71.225:80 gatyfus.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 pupydeq.com udp
US 35.225.36.88:80 lygynud.com tcp
US 76.223.54.146:80 pupydeq.com tcp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 lyrysor.com udp
US 104.21.26.151:80 lysyvan.com tcp
CN 111.6.96.18:80 lyrysor.com tcp
US 8.8.8.8:53 pupycag.com udp
US 18.208.156.248:80 pupycag.com tcp
US 35.225.36.88:80 lygynud.com tcp
US 104.21.26.151:443 lysyvan.com tcp
US 104.21.26.151:443 lysyvan.com tcp

Files

memory/1916-0-0x0000000000400000-0x000000000057D000-memory.dmp

memory/1916-1-0x0000000000240000-0x0000000000291000-memory.dmp

memory/1916-2-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Windows\AppPatch\svchost.exe

MD5 10df5a5e5b84ac5957a70435d6ce131b
SHA1 f4b1c6863f73173be3b984765f183d304dfce503
SHA256 e6908a4f7b94f59a2a14f0fcdb068139929c38a0238e774f51818790e840b4b9
SHA512 339c82fb790772de58ce5522464a31003ced21a37b4c5f78daa7a83fff2a2452ea1fbe34151f03f9c91bd0339d423ebe8f986cff81d9509e6c68194dc398c88d

memory/1260-16-0x0000000000400000-0x000000000057D000-memory.dmp

memory/1260-17-0x0000000000400000-0x000000000057D000-memory.dmp

memory/1916-20-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1916-19-0x0000000000240000-0x0000000000291000-memory.dmp

memory/1916-18-0x0000000000400000-0x000000000057D000-memory.dmp

memory/1260-21-0x0000000000400000-0x000000000057D000-memory.dmp

memory/1260-28-0x0000000002530000-0x00000000025D8000-memory.dmp

memory/1260-32-0x0000000002530000-0x00000000025D8000-memory.dmp

memory/1260-30-0x0000000002530000-0x00000000025D8000-memory.dmp

memory/1260-33-0x0000000000400000-0x000000000057D000-memory.dmp

memory/1260-26-0x0000000002530000-0x00000000025D8000-memory.dmp

memory/1260-24-0x0000000002530000-0x00000000025D8000-memory.dmp

memory/1260-22-0x0000000002530000-0x00000000025D8000-memory.dmp

memory/1260-34-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-36-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-38-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-49-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-84-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-82-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-81-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-80-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-78-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-77-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-76-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-75-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-74-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-73-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-72-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-71-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-70-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-69-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-68-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-67-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-66-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-65-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-64-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-63-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-62-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-61-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-60-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-59-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-58-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-57-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-56-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-55-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-54-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-53-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-52-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-51-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-50-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-83-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-48-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-79-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-47-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-46-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-45-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-44-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-43-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-42-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-41-0x0000000002820000-0x00000000028D6000-memory.dmp

memory/1260-40-0x0000000002820000-0x00000000028D6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-29 11:11

Reported

2024-10-29 11:13

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\caf2e8df = "\x12\aÆöÓSÀV¤\v\u008d½*\tÔ@¥aü…\u008f§ÊñŸvÍî,Ù}2kÀ%ͲÑQô\v\u009dyô\rÍœMyuÌi\x02LA´1H¼êmXAp%[\x114\x12dô\x11¡¹" C:\Windows\apppatch\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\caf2e8df = "\x12\aÆöÓSÀV¤\v\u008d½*\tÔ@¥aü…\u008f§ÊñŸvÍî,Ù}2kÀ%ͲÑQô\v\u009dyô\rÍœMyuÌi\x02LA´1H¼êmXAp%[\x114\x12dô\x11¡¹" C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe

"C:\Users\Admin\AppData\Local\Temp\b5f126c6d79d2d7a1675ceb2a3dd651d85b18150c05c0600d726bb7ee488767fN.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
GB 2.18.27.76:80 www.bing.com tcp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 199.191.50.83:80 galyqaz.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 75.2.71.199:80 puzylyp.com tcp
US 172.67.173.131:80 qegyhig.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 69.162.80.62:80 lysyfyj.com tcp
US 172.234.222.143:80 vojyqem.com tcp
US 75.2.71.199:443 puzylyp.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 69.162.80.62:80 lysyfyj.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 76.27.18.2.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 199.71.2.75.in-addr.arpa udp
US 8.8.8.8:53 131.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 62.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 gahyqah.com udp
US 23.253.46.64:80 gahyqah.com tcp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 gatyfus.com udp
NL 5.79.71.225:80 gatyfus.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 64.46.253.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 225.71.79.5.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 ww6.galyqaz.com udp
US 199.59.243.227:80 ww6.galyqaz.com tcp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
NL 5.79.71.225:80 gatyfus.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 pupydeq.com udp
US 13.248.169.48:80 pupydeq.com tcp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 lygynud.com udp
US 107.178.223.183:80 lygynud.com tcp
US 172.67.136.136:80 lysyvan.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 8.8.8.8:53 lyrysor.com udp
CN 111.6.96.18:80 lyrysor.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 107.178.223.183:80 lygynud.com tcp
US 8.8.8.8:53 136.136.67.172.in-addr.arpa udp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 172.67.136.136:443 lysyvan.com tcp
US 13.248.169.48:80 pupydeq.com tcp
CN 111.6.96.18:80 lyrysor.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 galynuh.com udp
US 64.225.91.73:80 galynuh.com tcp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 103.224.182.252:80 vofycot.com tcp
US 103.224.212.210:80 lyxynyx.com tcp
US 15.197.240.20:80 qexyhuv.com tcp
US 8.8.8.8:53 qegyval.com udp
US 44.221.84.105:80 gadyciz.com tcp
HK 154.85.183.50:80 qegyval.com tcp
US 8.8.8.8:53 ww16.vofycot.com udp
US 8.8.8.8:53 ww25.lyxynyx.com udp
DE 64.190.63.136:80 ww16.vofycot.com tcp
US 199.59.243.227:80 ww25.lyxynyx.com tcp
US 8.8.8.8:53 20.240.197.15.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 252.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 210.212.224.103.in-addr.arpa udp
US 8.8.8.8:53 136.63.190.64.in-addr.arpa udp
US 8.8.8.8:53 50.183.85.154.in-addr.arpa udp

Files

memory/1428-0-0x0000000000400000-0x000000000057D000-memory.dmp

memory/1428-1-0x00000000007F0000-0x0000000000841000-memory.dmp

memory/1428-2-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Windows\apppatch\svchost.exe

MD5 78e0f0e7c7e8b12a72de53f4e5fcf05b
SHA1 88dfb0b9674483360cfe094de601ebabffa18df1
SHA256 24c9299f44fac64d27ef8aecafbf64d7d9be8ffef42714daa339692978752dba
SHA512 3495eb1708bafe65194fd652584d47481ab056be6ff0b012d86c7a5bb28c069e41fa52312160c015492c08912e4b1a2dae9ccff57afc3ec70b43a027cf65f75d

memory/212-12-0x0000000000400000-0x000000000057D000-memory.dmp

memory/212-13-0x0000000000400000-0x000000000057D000-memory.dmp

memory/1428-16-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1428-15-0x00000000007F0000-0x0000000000841000-memory.dmp

memory/1428-14-0x0000000000400000-0x000000000057D000-memory.dmp

memory/212-17-0x0000000000400000-0x000000000057D000-memory.dmp

memory/212-18-0x0000000002AB0000-0x0000000002B58000-memory.dmp

memory/212-19-0x0000000000400000-0x000000000057D000-memory.dmp

memory/212-20-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-24-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-22-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-79-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-78-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-77-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-76-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-75-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-74-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-73-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-72-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-71-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-70-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-69-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-68-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-67-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-66-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-65-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-63-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-62-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-61-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-60-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-59-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-58-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-57-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-56-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-55-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-54-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-53-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-52-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-51-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-50-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-49-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-47-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-46-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-43-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-44-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-42-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-41-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-40-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-38-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-39-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-37-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-36-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-35-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-34-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-33-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-32-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-31-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-30-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-29-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-28-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-27-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-64-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-48-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-45-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-26-0x0000000002CA0000-0x0000000002D56000-memory.dmp

memory/212-25-0x0000000002CA0000-0x0000000002D56000-memory.dmp