Malware Analysis Report

2024-12-07 15:01

Sample ID 241030-rnhx1svfjb
Target 0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N
SHA256 0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7
Tags
simda discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7

Threat Level: Known bad

The file 0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N was found to be: Known bad.

Malicious Activity Summary

simda discovery persistence stealer trojan

simda

Simda family

Modifies WinLogon for persistence

Loads dropped DLL

Executes dropped EXE

Modifies WinLogon

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 14:20

Signatures

Simda family

simda

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 14:20

Reported

2024-10-30 14:22

Platform

win7-20240903-en

Max time kernel

119s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\238a0069 = "Oš>õKÖÖ}#\x1fŠ©\x15ʪó°\aJÜQ³!]Õ\u008fî\x1cU„ÿPÂÔt¼LÊòÔ,22pFŠÒª´„nP\fj¢Ì8\nœ|ð’\x06T\\Ê\x1c\b*´DÄ\x06lZ˜~jz(Bdl°LU2Ö\x02bb\x12\x1a²\fð\n¢L6B²\x12È”&À’B\nêZàʺŠ2Zö‚à2fz\x10dBBœZ\x0e}\u009dj2\"\"\nZ@:$ºb€ÊZtÒÂZÒB®Z\\ê\u00902Šøl\bÆÒ\x10BZè8R\n\u00a0êʤÅbfò5’Z¤’ª$JZzÈ’ÂÒ\x18ª<èÚ®:Ž\\*ZÕ‚}\b„úÕòêÊÀÌm,ruõ’ì‚^,2\"*ÚÚÚèLºÚ¢²ÂåÚ„@’B\x1a¤\x06<„DN¢\nØbâ\x1aâ" C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\238a0069 = "Oš>õKÖÖ}#\x1fŠ©\x15ʪó°\aJÜQ³!]Õ\u008fî\x1cU„ÿPÂÔt¼LÊòÔ,22pFŠÒª´„nP\fj¢Ì8\nœ|ð’\x06T\\Ê\x1c\b*´DÄ\x06lZ˜~jz(Bdl°LU2Ö\x02bb\x12\x1a²\fð\n¢L6B²\x12È”&À’B\nêZàʺŠ2Zö‚à2fz\x10dBBœZ\x0e}\u009dj2\"\"\nZ@:$ºb€ÊZtÒÂZÒB®Z\\ê\u00902Šøl\bÆÒ\x10BZè8R\n\u00a0êʤÅbfò5’Z¤’ª$JZzÈ’ÂÒ\x18ª<èÚ®:Ž\\*ZÕ‚}\b„úÕòêÊÀÌm,ruõ’ì‚^,2\"*ÚÚÚèLºÚ¢²ÂåÚ„@’B\x1a¤\x06<„DN¢\nØbâ\x1aâ" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe

"C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 95.100.195.57:80 www.bing.com tcp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 99.83.170.3:80 puzylyp.com tcp
US 104.21.30.183:80 qegyhig.com tcp
US 162.255.119.102:80 gahyqah.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 44.221.84.105:80 qetyfuv.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 18.208.156.248:80 vonypom.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 172.234.222.138:80 vojyqem.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 69.162.80.54:80 lysyfyj.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 8.8.8.8:53 www.gahyqah.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 gatyfus.com udp
DE 91.195.240.19:80 www.gahyqah.com tcp
DE 178.162.217.107:80 gatyfus.com tcp
US 172.234.222.138:80 vojyqem.com tcp
US 104.21.30.183:443 qegyhig.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
NL 85.17.31.122:80 gatyfus.com tcp
US 104.21.30.183:443 qegyhig.com tcp
HK 154.212.231.82:80 gadyniw.com tcp
DE 178.162.203.211:80 gatyfus.com tcp
DE 178.162.203.202:80 gatyfus.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp
DE 178.162.203.226:80 gatyfus.com tcp
NL 5.79.71.205:80 gatyfus.com tcp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 pupydeq.com udp
US 76.223.54.146:80 pupydeq.com tcp
US 8.8.8.8:53 lysyvan.com udp
US 172.67.136.136:80 lysyvan.com tcp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 lyrysor.com udp
CN 111.6.96.18:80 lyrysor.com tcp
US 18.208.156.248:80 pupycag.com tcp
US 107.178.223.183:80 lygynud.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 76.223.54.146:80 pupydeq.com tcp
CN 111.6.96.18:80 lyrysor.com tcp

Files

\Windows\AppPatch\svchost.exe

MD5 c4c417c8840d5e0b80761d981942947f
SHA1 46418b3821491f591bdd9956f5c80b9be69299c4
SHA256 8ad3e3783779b48cf3c27ad7582277524c9ea6597607f2608c7303150c721c2f
SHA512 71364f54395ec04eea8160158dea91544642ba69bf97d871b65c124633e0cdb6b1e25671869119a0bbf1b2a579d49e3cc30d48abab51fd24c15c8d1d06b3a00f

memory/2084-13-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2028-14-0x0000000000460000-0x0000000000508000-memory.dmp

memory/2028-20-0x0000000000460000-0x0000000000508000-memory.dmp

memory/2028-24-0x0000000000460000-0x0000000000508000-memory.dmp

memory/2028-22-0x0000000000460000-0x0000000000508000-memory.dmp

memory/2028-18-0x0000000000460000-0x0000000000508000-memory.dmp

memory/2028-16-0x0000000000460000-0x0000000000508000-memory.dmp

memory/2028-25-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-29-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-27-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-36-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-44-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-57-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-56-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-58-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-55-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-54-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-53-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-52-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-71-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-77-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-76-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-75-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-74-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-73-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-72-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-70-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-69-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-68-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-67-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-66-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-65-0x0000000002300000-0x00000000023B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E386.tmp

MD5 67ec68f6b76130f1db79ae33c12f289d
SHA1 14b10c1a585b24255c592fd1b39c3a3705ff370e
SHA256 30b8860684bbb24a2ba1fde525be4ee5d0529bb89f848d9edf0e2f046c00b5f8
SHA512 beeaad0fe549e40ae2c4e6bc2d4490185c25c0abc95e6ae4e8d351998752c938a14561542f72b55abcf9feab82fff68b498f241ec712bb65c657d2c713b3f6e9

memory/2028-64-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-63-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-62-0x0000000002300000-0x00000000023B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E300.tmp

MD5 146ad385feecf8f1a0fec58acf09f84f
SHA1 9be46231a011d30756ea66443e59946a77c10ec6
SHA256 d6dac6c132def0f4ff8a4a907d2382f0a2531c752265327a5e11d00e4e3f4276
SHA512 b67b64c33277ea46440ec7a9eb82f880166fd22d0ecc8d4396d5d83288e8694f94bd1a9335c60af49c2d6d7b0c78c1e71fedd6398e2d4412a8efba467550f8fc

memory/2028-61-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-60-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-59-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-51-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-50-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-49-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-48-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-47-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-46-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-45-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-43-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-42-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-41-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-40-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-39-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-38-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-37-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-31-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-35-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-34-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-33-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-32-0x0000000002300000-0x00000000023B6000-memory.dmp

memory/2028-202-0x0000000002300000-0x00000000023B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 14:20

Reported

2024-10-30 14:22

Platform

win10v2004-20241007-en

Max time kernel

110s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," C:\Windows\apppatch\svchost.exe N/A

Simda family

simda

simda

stealer trojan simda

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ba9005c1 = "\x18¿Þ¹bU)}\x02\x0e\x1f5®¸\x1cQö\t˜ºð¨GòÌA\a¢XêOð\u00adÍh\x0e¼" C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ba9005c1 = "\x18¿Þ¹bU)}\x02\x0e\x1f5®¸\x1cQö\t˜ºð¨GòÌA\a¢XêOð\u00adÍh\x0e¼" C:\Windows\apppatch\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
File created C:\Windows\apppatch\svchost.exe C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A
N/A N/A C:\Windows\apppatch\svchost.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe

"C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe"

C:\Windows\apppatch\svchost.exe

"C:\Windows\apppatch\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 95.100.195.10:80 www.bing.com tcp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 qetyfuv.com udp
US 8.8.8.8:53 puvyxil.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 lyryfyd.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 qegyqaq.com udp
US 8.8.8.8:53 purydyv.com udp
US 8.8.8.8:53 lygymoj.com udp
US 8.8.8.8:53 vowydef.com udp
US 8.8.8.8:53 qexylup.com udp
US 8.8.8.8:53 pufymoq.com udp
US 8.8.8.8:53 gaqydeb.com udp
US 8.8.8.8:53 lyxylux.com udp
US 8.8.8.8:53 vofymik.com udp
US 8.8.8.8:53 qeqysag.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 gadyniw.com udp
US 8.8.8.8:53 lymysan.com udp
US 8.8.8.8:53 volykyc.com udp
US 8.8.8.8:53 qedynul.com udp
US 8.8.8.8:53 pumypog.com udp
US 8.8.8.8:53 galykes.com udp
US 8.8.8.8:53 lysynur.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 pupybul.com udp
US 8.8.8.8:53 ganypih.com udp
US 8.8.8.8:53 lykyjad.com udp
US 8.8.8.8:53 vopybyt.com udp
US 8.8.8.8:53 qebytiq.com udp
US 8.8.8.8:53 pujyjav.com udp
US 8.8.8.8:53 gatyvyz.com udp
US 8.8.8.8:53 lyvytuj.com udp
US 8.8.8.8:53 vojyjof.com udp
US 8.8.8.8:53 qetyvep.com udp
US 8.8.8.8:53 puvytuq.com udp
US 8.8.8.8:53 gahyhob.com udp
US 8.8.8.8:53 lyryvex.com udp
US 8.8.8.8:53 vocyruk.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 purycap.com udp
US 8.8.8.8:53 gacyryw.com udp
US 8.8.8.8:53 lygygin.com udp
US 8.8.8.8:53 vowycac.com udp
US 8.8.8.8:53 qexyryl.com udp
US 8.8.8.8:53 pufygug.com udp
US 8.8.8.8:53 gaqycos.com udp
US 8.8.8.8:53 lyxywer.com udp
US 8.8.8.8:53 vofygum.com udp
US 8.8.8.8:53 qeqyxov.com udp
US 8.8.8.8:53 puzywel.com udp
US 8.8.8.8:53 gadyfuh.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 qekykev.com udp
US 8.8.8.8:53 gacyzuz.com udp
US 8.8.8.8:53 volyqat.com udp
US 8.8.8.8:53 qedyfyq.com udp
US 8.8.8.8:53 pumyxiv.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 vonyzuf.com udp
US 8.8.8.8:53 qekyqop.com udp
US 8.8.8.8:53 gatyfus.com udp
US 8.8.8.8:53 vonypom.com udp
US 8.8.8.8:53 qegyhig.com udp
US 8.8.8.8:53 lyvyxor.com udp
US 8.8.8.8:53 vojyqem.com udp
US 8.8.8.8:53 vocyzit.com udp
US 8.8.8.8:53 gahyqah.com udp
US 8.8.8.8:53 puzylyp.com udp
US 8.8.8.8:53 lymyxid.com udp
US 8.8.8.8:53 galyqaz.com udp
US 8.8.8.8:53 lysyfyj.com udp
US 18.208.156.248:80 vonypom.com tcp
NL 85.17.31.82:80 gatyfus.com tcp
US 172.67.173.131:80 qegyhig.com tcp
US 172.234.222.138:80 vojyqem.com tcp
US 199.191.50.83:80 galyqaz.com tcp
US 99.83.170.3:80 puzylyp.com tcp
US 3.94.10.34:80 lymyxid.com tcp
US 69.162.80.54:80 lysyfyj.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 44.221.84.105:80 vocyzit.com tcp
US 208.100.26.245:80 lyvyxor.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 172.234.222.138:80 vojyqem.com tcp
US 99.83.170.3:443 puzylyp.com tcp
US 23.253.46.64:80 gahyqah.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.195.100.95.in-addr.arpa udp
US 8.8.8.8:53 3.170.83.99.in-addr.arpa udp
US 8.8.8.8:53 131.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 138.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 83.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 64.46.253.23.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 qetyfuv.com udp
US 44.221.84.105:80 qetyfuv.com tcp
US 8.8.8.8:53 gadyniw.com udp
HK 154.212.231.82:80 gadyniw.com tcp
US 172.67.173.131:443 qegyhig.com tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 54.80.162.69.in-addr.arpa udp
US 8.8.8.8:53 82.31.17.85.in-addr.arpa udp
US 8.8.8.8:53 82.231.212.154.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 199.191.50.83:80 galyqaz.com tcp
US 8.8.8.8:53 ww6.galyqaz.com udp
US 199.59.243.227:80 ww6.galyqaz.com tcp
US 8.8.8.8:53 pupydeq.com udp
US 8.8.8.8:53 ganyzub.com udp
US 8.8.8.8:53 lykymox.com udp
US 8.8.8.8:53 vopydek.com udp
US 8.8.8.8:53 qebylug.com udp
US 8.8.8.8:53 pujymip.com udp
US 8.8.8.8:53 gatydaw.com udp
US 8.8.8.8:53 lyvylyn.com udp
US 8.8.8.8:53 vojymic.com udp
US 8.8.8.8:53 qetysal.com udp
US 8.8.8.8:53 puvylyg.com udp
US 8.8.8.8:53 gahynus.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 vocykem.com udp
US 8.8.8.8:53 qegynuv.com udp
US 8.8.8.8:53 purypol.com udp
US 8.8.8.8:53 gacykeh.com udp
US 8.8.8.8:53 lygynud.com udp
US 8.8.8.8:53 vowypit.com udp
US 8.8.8.8:53 qexykaq.com udp
US 8.8.8.8:53 pufybyv.com udp
US 8.8.8.8:53 gaqypiz.com udp
US 8.8.8.8:53 lyxyjaj.com udp
US 8.8.8.8:53 vofybyf.com udp
US 8.8.8.8:53 qeqytup.com udp
US 8.8.8.8:53 puzyjoq.com udp
US 8.8.8.8:53 gadyveb.com udp
US 8.8.8.8:53 lymytux.com udp
US 8.8.8.8:53 volyjok.com udp
US 8.8.8.8:53 qedyveg.com udp
US 8.8.8.8:53 pumytup.com udp
US 8.8.8.8:53 lysyvan.com udp
US 8.8.8.8:53 galyhiw.com udp
US 8.8.8.8:53 vonyryc.com udp
US 8.8.8.8:53 qekyhil.com udp
US 8.8.8.8:53 pupycag.com udp
US 8.8.8.8:53 ganyrys.com udp
US 8.8.8.8:53 lykygur.com udp
US 8.8.8.8:53 vopycom.com udp
US 8.8.8.8:53 qebyrev.com udp
US 8.8.8.8:53 pujygul.com udp
US 8.8.8.8:53 gatycoh.com udp
US 8.8.8.8:53 lyvywed.com udp
US 8.8.8.8:53 vojygut.com udp
US 8.8.8.8:53 qetyxiq.com udp
US 8.8.8.8:53 puvywav.com udp
US 8.8.8.8:53 gahyfyz.com udp
US 8.8.8.8:53 lyryxij.com udp
US 8.8.8.8:53 vocyqaf.com udp
US 8.8.8.8:53 qegyfyp.com udp
US 8.8.8.8:53 puryxuq.com udp
US 8.8.8.8:53 gacyqob.com udp
US 8.8.8.8:53 lygyfex.com udp
US 8.8.8.8:53 vowyzuk.com udp
US 8.8.8.8:53 qexyqog.com udp
US 8.8.8.8:53 pufydep.com udp
US 8.8.8.8:53 gaqyzuw.com udp
US 8.8.8.8:53 vofydac.com udp
US 8.8.8.8:53 lyxymin.com udp
US 8.8.8.8:53 qeqylyl.com udp
US 8.8.8.8:53 puzymig.com udp
US 8.8.8.8:53 gadydas.com udp
US 8.8.8.8:53 lymylyr.com udp
US 8.8.8.8:53 volymum.com udp
US 8.8.8.8:53 lyrysor.com udp
US 8.8.8.8:53 pupydeq.com udp
US 76.223.54.146:80 pupydeq.com tcp
CN 111.6.96.18:80 lyrysor.com tcp
US 8.8.8.8:53 lygynud.com udp
US 107.178.223.183:80 lygynud.com tcp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 lysyvan.com udp
US 172.67.136.136:80 lysyvan.com tcp
US 8.8.8.8:53 pupycag.com udp
US 18.208.156.248:80 pupycag.com tcp
US 172.67.136.136:443 lysyvan.com tcp
US 8.8.8.8:53 146.54.223.76.in-addr.arpa udp
US 8.8.8.8:53 183.223.178.107.in-addr.arpa udp
US 8.8.8.8:53 136.136.67.172.in-addr.arpa udp
US 172.67.136.136:443 lysyvan.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 76.223.54.146:80 pupydeq.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
CN 111.6.96.18:80 lyrysor.com tcp
US 8.8.8.8:53 qedysov.com udp
US 8.8.8.8:53 pumylel.com udp
US 8.8.8.8:53 galynuh.com udp
US 8.8.8.8:53 lysysod.com udp
US 8.8.8.8:53 vonyket.com udp
US 8.8.8.8:53 qekynuq.com udp
US 8.8.8.8:53 pupypiv.com udp
US 8.8.8.8:53 ganykaz.com udp
US 8.8.8.8:53 lykynyj.com udp
US 8.8.8.8:53 vopypif.com udp
US 8.8.8.8:53 qebykap.com udp
US 8.8.8.8:53 pujybyq.com udp
US 8.8.8.8:53 gatypub.com udp
US 8.8.8.8:53 lyvyjox.com udp
US 8.8.8.8:53 vojybek.com udp
US 8.8.8.8:53 qetytug.com udp
US 8.8.8.8:53 puvyjop.com udp
US 8.8.8.8:53 gahyvew.com udp
US 8.8.8.8:53 lyrytun.com udp
US 8.8.8.8:53 vocyjic.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 purytyg.com udp
US 8.8.8.8:53 gacyhis.com udp
US 8.8.8.8:53 lygyvar.com udp
US 8.8.8.8:53 vowyrym.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 pufycol.com udp
US 8.8.8.8:53 gaqyreh.com udp
US 8.8.8.8:53 lyxygud.com udp
US 8.8.8.8:53 vofycot.com udp
US 8.8.8.8:53 qeqyreq.com udp
US 8.8.8.8:53 puzyguv.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 lymywaj.com udp
US 8.8.8.8:53 volygyf.com udp
US 8.8.8.8:53 qedyxip.com udp
US 8.8.8.8:53 pumywaq.com udp
US 8.8.8.8:53 galyfyb.com udp
US 8.8.8.8:53 lysyxux.com udp
US 8.8.8.8:53 vonyqok.com udp
US 8.8.8.8:53 qekyfeg.com udp
US 8.8.8.8:53 pupyxup.com udp
US 8.8.8.8:53 ganyqow.com udp
US 8.8.8.8:53 lykyfen.com udp
US 8.8.8.8:53 vopyzuc.com udp
US 8.8.8.8:53 qebyqil.com udp
US 8.8.8.8:53 pujydag.com udp
US 8.8.8.8:53 gatyzys.com udp
US 8.8.8.8:53 lyvymir.com udp
US 8.8.8.8:53 vojydam.com udp
US 8.8.8.8:53 qetylyv.com udp
US 8.8.8.8:53 puvymul.com udp
US 8.8.8.8:53 gahydoh.com udp
US 8.8.8.8:53 lyryled.com udp
US 8.8.8.8:53 vocymut.com udp
US 8.8.8.8:53 qegysoq.com udp
US 8.8.8.8:53 purylev.com udp
US 8.8.8.8:53 gacynuz.com udp
US 8.8.8.8:53 lygysij.com udp
US 8.8.8.8:53 vowykaf.com udp
US 8.8.8.8:53 pufypiq.com udp
US 8.8.8.8:53 qexynyp.com udp
US 8.8.8.8:53 gaqykab.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 qexyhuv.com udp
US 8.8.8.8:53 gadyciz.com udp
US 8.8.8.8:53 lyxynyx.com udp
US 8.8.8.8:53 qegyval.com udp
US 8.8.8.8:53 vofycot.com udp
US 103.224.212.210:80 lyxynyx.com tcp
US 44.221.84.105:80 gadyciz.com tcp
US 15.197.240.20:80 qexyhuv.com tcp
HK 154.85.183.50:80 qegyval.com tcp
US 8.8.8.8:53 ww25.lyxynyx.com udp
US 199.59.243.227:80 ww25.lyxynyx.com tcp
US 8.8.8.8:53 galynuh.com udp
US 103.224.182.252:80 vofycot.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 210.212.224.103.in-addr.arpa udp
US 8.8.8.8:53 20.240.197.15.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 ww16.vofycot.com udp
US 64.225.91.73:80 galynuh.com tcp
DE 64.190.63.136:80 ww16.vofycot.com tcp
US 8.8.8.8:53 252.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 136.63.190.64.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 15.197.240.20:80 qexyhuv.com tcp

Files

C:\Windows\apppatch\svchost.exe

MD5 042b40df52de5294312bc92d7feb9f54
SHA1 85ff79e22b9dbb83f87e8986d1b4c46291195769
SHA256 1f68e97765037372c5a8665626ebed2e9ccf1b98fde2eb0c5769d95e11abce59
SHA512 259c10711ab4e967e061737319fe3d58831be50300adc6414866cc3ee0af36c9abda5736a0e1e55bef426dc5600eceab216abcdb3cc5ef82e9e7166fac24c632

memory/3608-9-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1064-10-0x0000000002720000-0x00000000027C8000-memory.dmp

memory/1064-15-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-11-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp

memory/1064-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B465.tmp

MD5 a5d3fa80d0fb6e9ad1579077ae92c6f3
SHA1 6e1c49f2d626ffd571e77688d235c313a2dbc085
SHA256 47801f9ed92732b46ca9ced828bdc38dd6badbfc524351cb4c036827bfd63cfd
SHA512 95a0f28dead82fa90aa27aaf376a8c70a6742fa4d0347df0f64bee75e266c00366056df89160887b459cdcdc537b268ab6dde44c6c0f0797142ac6b2ebd7e29b

memory/1064-170-0x0000000002B40000-0x0000000002BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2DD1.tmp

MD5 32c85f9cb9f6cb97ac4947872594f74d
SHA1 e8f89e39cdb40c204a75fc34d43ba285d43423dd
SHA256 5c8fb925a3ea00d1b9aea54ce97aa16521b68d6de5f525b0d7f72791a61dc4ed
SHA512 28463f0439fdc64dc82db6243541c8861c7eb00dd66519bb03591a1ea07ee68b84f8b75aa93b3307c7a37835c951ca6bb8d80a3392cfc849fb72a7ba39192487