Analysis Overview
SHA256
0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7
Threat Level: Known bad
The file 0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N was found to be: Known bad.
Malicious Activity Summary
simda
Simda family
Modifies WinLogon for persistence
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 14:20
Signatures
Simda family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 14:20
Reported
2024-10-30 14:22
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\238a0069 = "Oš>õKÖÖ}#\x1fŠ©\x15ʪó°\aJÜQ³!]Õ\u008fî\x1cU„ÿPÂÔt¼LÊòÔ,22pFŠÒª´„nP\fj¢Ì8\nœ|ð’\x06T\\Ê\x1c\b*´DÄ\x06lZ˜~jz(Bdl°LU2Ö\x02bb\x12\x1a²\fð\n¢L6B²\x12È”&À’B\nêZàʺŠ2Zö‚à2fz\x10dBBœZ\x0e}\u009dj2\"\"\nZ@:$ºb€ÊZtÒÂZÒB®Z\\ê\u00902Šøl\bÆÒ\x10BZè8R\n\u00a0êʤÅbfò5’Z¤’ª$JZzÈ’ÂÒ\x18ª<èÚ®:Ž\\*ZÕ‚}\b„úÕòêÊÀÌm,ruõ’ì‚^,2\"*ÚÚÚèLºÚ¢²ÂåÚ„@’B\x1a¤\x06<„DN¢\nØbâ\x1aâ" | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\238a0069 = "Oš>õKÖÖ}#\x1fŠ©\x15ʪó°\aJÜQ³!]Õ\u008fî\x1cU„ÿPÂÔt¼LÊòÔ,22pFŠÒª´„nP\fj¢Ì8\nœ|ð’\x06T\\Ê\x1c\b*´DÄ\x06lZ˜~jz(Bdl°LU2Ö\x02bb\x12\x1a²\fð\n¢L6B²\x12È”&À’B\nêZàʺŠ2Zö‚à2fz\x10dBBœZ\x0e}\u009dj2\"\"\nZ@:$ºb€ÊZtÒÂZÒB®Z\\ê\u00902Šøl\bÆÒ\x10BZè8R\n\u00a0êʤÅbfò5’Z¤’ª$JZzÈ’ÂÒ\x18ª<èÚ®:Ž\\*ZÕ‚}\b„úÕòêÊÀÌm,ruõ’ì‚^,2\"*ÚÚÚèLºÚ¢²ÂåÚ„@’B\x1a¤\x06<„DN¢\nØbâ\x1aâ" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2084 wrote to memory of 2028 | N/A | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2084 wrote to memory of 2028 | N/A | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2084 wrote to memory of 2028 | N/A | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | C:\Windows\apppatch\svchost.exe |
| PID 2084 wrote to memory of 2028 | N/A | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe
"C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 95.100.195.57:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 69.162.80.54:80 | lysyfyj.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.80:80 | crl.microsoft.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
Files
\Windows\AppPatch\svchost.exe
| MD5 | c4c417c8840d5e0b80761d981942947f |
| SHA1 | 46418b3821491f591bdd9956f5c80b9be69299c4 |
| SHA256 | 8ad3e3783779b48cf3c27ad7582277524c9ea6597607f2608c7303150c721c2f |
| SHA512 | 71364f54395ec04eea8160158dea91544642ba69bf97d871b65c124633e0cdb6b1e25671869119a0bbf1b2a579d49e3cc30d48abab51fd24c15c8d1d06b3a00f |
memory/2084-13-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2028-14-0x0000000000460000-0x0000000000508000-memory.dmp
memory/2028-20-0x0000000000460000-0x0000000000508000-memory.dmp
memory/2028-24-0x0000000000460000-0x0000000000508000-memory.dmp
memory/2028-22-0x0000000000460000-0x0000000000508000-memory.dmp
memory/2028-18-0x0000000000460000-0x0000000000508000-memory.dmp
memory/2028-16-0x0000000000460000-0x0000000000508000-memory.dmp
memory/2028-25-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-29-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-27-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-36-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-44-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-57-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-56-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-58-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-55-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-54-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-53-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-52-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-71-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-77-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-76-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-75-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-74-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-73-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-72-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-70-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-69-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-68-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-67-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-66-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-65-0x0000000002300000-0x00000000023B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E386.tmp
| MD5 | 67ec68f6b76130f1db79ae33c12f289d |
| SHA1 | 14b10c1a585b24255c592fd1b39c3a3705ff370e |
| SHA256 | 30b8860684bbb24a2ba1fde525be4ee5d0529bb89f848d9edf0e2f046c00b5f8 |
| SHA512 | beeaad0fe549e40ae2c4e6bc2d4490185c25c0abc95e6ae4e8d351998752c938a14561542f72b55abcf9feab82fff68b498f241ec712bb65c657d2c713b3f6e9 |
memory/2028-64-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-63-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-62-0x0000000002300000-0x00000000023B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E300.tmp
| MD5 | 146ad385feecf8f1a0fec58acf09f84f |
| SHA1 | 9be46231a011d30756ea66443e59946a77c10ec6 |
| SHA256 | d6dac6c132def0f4ff8a4a907d2382f0a2531c752265327a5e11d00e4e3f4276 |
| SHA512 | b67b64c33277ea46440ec7a9eb82f880166fd22d0ecc8d4396d5d83288e8694f94bd1a9335c60af49c2d6d7b0c78c1e71fedd6398e2d4412a8efba467550f8fc |
memory/2028-61-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-60-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-59-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-51-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-50-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-49-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-48-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-47-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-46-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-45-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-43-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-42-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-41-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-40-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-39-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-38-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-37-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-31-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-35-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-34-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-33-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-32-0x0000000002300000-0x00000000023B6000-memory.dmp
memory/2028-202-0x0000000002300000-0x00000000023B6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-30 14:20
Reported
2024-10-30 14:22
Platform
win10v2004-20241007-en
Max time kernel
110s
Max time network
122s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ba9005c1 = "\x18¿Þ¹bU)}\x02\x0e\x1f5®¸\x1cQö\t˜ºð¨GòÌA\a¢XêOð\u00adÍh\x0e¼" | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ba9005c1 = "\x18¿Þ¹bU)}\x02\x0e\x1f5®¸\x1cQö\t˜ºð¨GòÌA\a¢XêOð\u00adÍh\x0e¼" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | N/A |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3608 wrote to memory of 1064 | N/A | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | C:\Windows\apppatch\svchost.exe |
| PID 3608 wrote to memory of 1064 | N/A | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | C:\Windows\apppatch\svchost.exe |
| PID 3608 wrote to memory of 1064 | N/A | C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe
"C:\Users\Admin\AppData\Local\Temp\0107129d4e33ca0eb7b12f0d7ca8fe827dbefec97799891aebe960ff91f204f7N.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 95.100.195.10:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 69.162.80.54:80 | lysyfyj.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 99.83.170.3:443 | puzylyp.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.195.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.170.83.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.31.17.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 8.8.8.8:53 | ww6.galyqaz.com | udp |
| US | 199.59.243.227:80 | ww6.galyqaz.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.136.67.172.in-addr.arpa | udp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 8.8.8.8:53 | ww25.lyxynyx.com | udp |
| US | 199.59.243.227:80 | ww25.lyxynyx.com | tcp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 210.212.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.240.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
| US | 8.8.8.8:53 | 252.182.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.63.190.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
Files
C:\Windows\apppatch\svchost.exe
| MD5 | 042b40df52de5294312bc92d7feb9f54 |
| SHA1 | 85ff79e22b9dbb83f87e8986d1b4c46291195769 |
| SHA256 | 1f68e97765037372c5a8665626ebed2e9ccf1b98fde2eb0c5769d95e11abce59 |
| SHA512 | 259c10711ab4e967e061737319fe3d58831be50300adc6414866cc3ee0af36c9abda5736a0e1e55bef426dc5600eceab216abcdb3cc5ef82e9e7166fac24c632 |
memory/3608-9-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1064-10-0x0000000002720000-0x00000000027C8000-memory.dmp
memory/1064-15-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-13-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-11-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-17-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-23-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-72-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-71-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-70-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-69-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-68-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-67-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-66-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-65-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-64-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-62-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-61-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-60-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-59-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-58-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-56-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-55-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-54-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-52-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-50-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-49-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-48-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-47-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-46-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-45-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-43-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-42-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-41-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-39-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-37-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-35-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-34-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-32-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-31-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-30-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-29-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-28-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-27-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-24-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-22-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-21-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-20-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-19-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-18-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-63-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-57-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-53-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-51-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-44-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-40-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-38-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-36-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-33-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-25-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-26-0x0000000002B40000-0x0000000002BF6000-memory.dmp
memory/1064-16-0x0000000002B40000-0x0000000002BF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B465.tmp
| MD5 | a5d3fa80d0fb6e9ad1579077ae92c6f3 |
| SHA1 | 6e1c49f2d626ffd571e77688d235c313a2dbc085 |
| SHA256 | 47801f9ed92732b46ca9ced828bdc38dd6badbfc524351cb4c036827bfd63cfd |
| SHA512 | 95a0f28dead82fa90aa27aaf376a8c70a6742fa4d0347df0f64bee75e266c00366056df89160887b459cdcdc537b268ab6dde44c6c0f0797142ac6b2ebd7e29b |
memory/1064-170-0x0000000002B40000-0x0000000002BF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2DD1.tmp
| MD5 | 32c85f9cb9f6cb97ac4947872594f74d |
| SHA1 | e8f89e39cdb40c204a75fc34d43ba285d43423dd |
| SHA256 | 5c8fb925a3ea00d1b9aea54ce97aa16521b68d6de5f525b0d7f72791a61dc4ed |
| SHA512 | 28463f0439fdc64dc82db6243541c8861c7eb00dd66519bb03591a1ea07ee68b84f8b75aa93b3307c7a37835c951ca6bb8d80a3392cfc849fb72a7ba39192487 |