Analysis Overview
SHA256
824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55c
Threat Level: Known bad
The file 824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN was found to be: Known bad.
Malicious Activity Summary
simda
Modifies WinLogon for persistence
Simda family
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 16:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 16:59
Reported
2024-10-30 17:01
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b9d47f15 = "µIÒ¬Ïõ\x17H!{*b\x10jû‚cK\x7fÓì\x10x\n•qKþú\x026&~ЇÓˈ;»¦ãzÿ\x1ex:r¿¯ fnW§Âªn–›GË+\u008fK†o'¢Þ£¶®[§h¿W»KoØ ó—wÀ'CˆWß§ïȃã[Ã\x06‡Ók‹[ØÓÿ\x03\b7?£Z¿ï²ºW7\x02†ž·³ÃGàâƒkZr¦¶+(b2ÛÖ7wß««\x136Wžëkf§ÛÎêWP7VO3\x7fg\"ƒ\x0fçz*\vó\x7fÞ²:“P“³\x1aæ::«×Zã¢úJ“(Šj§Š'ß+{ËÃ7Ö;o\x0f(Úg&X\x03&§÷Î;§oË6Çîúï\x06\x1e¿û'g¸GßZ¦ã‚Ƙß\aòj\u008fû2Ê3û\x7f¨XC†b" | C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\b9d47f15 = "µIÒ¬Ïõ\x17H!{*b\x10jû‚cK\x7fÓì\x10x\n•qKþú\x026&~ЇÓˈ;»¦ãzÿ\x1ex:r¿¯ fnW§Âªn–›GË+\u008fK†o'¢Þ£¶®[§h¿W»KoØ ó—wÀ'CˆWß§ïȃã[Ã\x06‡Ók‹[ØÓÿ\x03\b7?£Z¿ï²ºW7\x02†ž·³ÃGàâƒkZr¦¶+(b2ÛÖ7wß««\x136Wžëkf§ÛÎêWP7VO3\x7fg\"ƒ\x0fçz*\vó\x7fÞ²:“P“³\x1aæ::«×Zã¢úJ“(Šj§Š'ß+{ËÃ7Ö;o\x0f(Úg&X\x03&§÷Î;§oË6Çîúï\x06\x1e¿û'g¸GßZ¦ã‚Ƙß\aòj\u008fû2Ê3û\x7f¨XC†b" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe
"C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 95.100.195.19:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 162.255.119.102:80 | gahyqah.com | tcp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 75.2.71.199:80 | puzylyp.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 172.234.222.143:80 | vojyqem.com | tcp |
| US | 8.8.8.8:53 | www.gahyqah.com | udp |
| DE | 91.195.240.19:80 | www.gahyqah.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 75.2.71.199:80 | puzylyp.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 104.155.138.21:80 | lygynud.com | tcp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.73:80 | crl.microsoft.com | tcp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| US | 8.8.8.8:53 | ww25.lyxynyx.com | udp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
| US | 199.59.243.227:80 | ww25.lyxynyx.com | tcp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
Files
memory/2148-0-0x0000000000240000-0x0000000000243000-memory.dmp
memory/2148-1-0x0000000000400000-0x000000000045F000-memory.dmp
\Windows\AppPatch\svchost.exe
| MD5 | 7cb258993175c23d343f7a53be0a5f31 |
| SHA1 | 7181221316e37ca51365ff70f4c1ed3b50d7debd |
| SHA256 | 6826777c9f1d149ff343ea03fdc43f1d9c0846a0523db9992aba42274bf6f4b3 |
| SHA512 | c31bfe664e3df24ca6602a8186ef93c34ae4e30adaf2086cc8e555d8321fb97bbe54c740d983463ed924e89b1979e3954a479ec59b4fd16a9117627152a83d38 |
memory/2148-14-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2148-13-0x0000000000240000-0x0000000000243000-memory.dmp
memory/2148-11-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2800-15-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2800-16-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2800-19-0x0000000002250000-0x00000000022F8000-memory.dmp
memory/2800-23-0x0000000002250000-0x00000000022F8000-memory.dmp
memory/2800-27-0x0000000002250000-0x00000000022F8000-memory.dmp
memory/2800-25-0x0000000002250000-0x00000000022F8000-memory.dmp
memory/2800-28-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2800-21-0x0000000002250000-0x00000000022F8000-memory.dmp
memory/2800-17-0x0000000002250000-0x00000000022F8000-memory.dmp
memory/2800-29-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-33-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-31-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-41-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-42-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-68-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-81-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-80-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-78-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-77-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-76-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-75-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-74-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-73-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-72-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-71-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-70-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-69-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-67-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-66-0x0000000002400000-0x00000000024B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F4B4.tmp
| MD5 | 3818b33413eccddf8778396ab9519a6d |
| SHA1 | 626f89b484e9c3b54fc9b27250324fc5ef997a2f |
| SHA256 | 5a531d1ffef76c68d11e9f7e983823e511bfa52d19a5ab96581974db312aebfa |
| SHA512 | d36b3c75e179c4f754efd41a5961518afc3f05618bf9b4f8e1a66c5a7827e915a7ebae6cff389a3c3cb8d8bb47c130362517974049749f3a5cbf2146950473d4 |
memory/2800-65-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-63-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-62-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-61-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-60-0x0000000002400000-0x00000000024B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F442.tmp
| MD5 | b36fdb4e27cfafd01efc5d3d92079b34 |
| SHA1 | 96bb784c8dfadd6e2c636ad074be5ee123884600 |
| SHA256 | 6b9267eed9d1133398eef382a5ac55ac33de4cf635cb54d1200502587a9cba39 |
| SHA512 | d1644175405f294017c91219d76a466bf4d7a4646bdbaf0aed580d2e1806d7329ca79b5368c2055fbdb06afaacd2eac1e7b1e4fd67a3b74ac8c5df0a6c0c09fe |
memory/2800-59-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-58-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-57-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-56-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-55-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-54-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-53-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-52-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-51-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-49-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-48-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-47-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-79-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-46-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-45-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-44-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-43-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-40-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-64-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-39-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-38-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-50-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-37-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-35-0x0000000002400000-0x00000000024B6000-memory.dmp
memory/2800-36-0x0000000002400000-0x00000000024B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F4A4.tmp
| MD5 | a09cbe3fd69399f16e19fe3f6f4d22f4 |
| SHA1 | 9506fcee8b2c069a75b2ce69a110c6b07e7ce1e4 |
| SHA256 | 374f1bb59756a1bec54c6df29501db6f26406d18d1ddcdd20b9a2e4b0753a5b4 |
| SHA512 | 29fbbb6d454e4dd3644ccd3cb39ccd89ca530d5fce6c1ebe36ebd8f612ffaf741480bbaa42f700a20e050fac7791718edd243be3c954a8eb50f84632e47910ff |
C:\Users\Admin\AppData\Local\Temp\1C0D.tmp
| MD5 | 926512864979bc27cf187f1de3f57aff |
| SHA1 | acdeb9d6187932613c7fa08eaf28f0cd8116f4b5 |
| SHA256 | b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f |
| SHA512 | f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-30 16:59
Reported
2024-10-30 17:01
Platform
win10v2004-20241007-en
Max time kernel
115s
Max time network
120s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\e16544df = "òŠˆOð\u0090jÑ\u009dr\x1d\tHQ8`°‘Ö\r2âzéö\nZfäUÃ!vú0åAÔ\fh\"98iè\u00902U\x10Ð0ia°<:Ñ\u0081ø-a\u009d\x0e¨Ú2)ä\x140ÆYýhf°VpA2p>Ù\\ù̱\x11\"ÐÖPµàVI´5ÂÂ\x14ua)…@@Mô¡Šx€IFfQ ô‰ù¨.\x11˜¾ª•y\bñ¨ÂQ" | C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\e16544df = "òŠˆOð\u0090jÑ\u009dr\x1d\tHQ8`°‘Ö\r2âzéö\nZfäUÃ!vú0åAÔ\fh\"98iè\u00902U\x10Ð0ia°<:Ñ\u0081ø-a\u009d\x0e¨Ú2)ä\x140ÆYýhf°VpA2p>Ù\\ù̱\x11\"ÐÖPµàVI´5ÂÂ\x14ua)…@@Mô¡Šx€IFfQ ô‰ù¨.\x11˜¾ª•y\bñ¨ÂQ" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4780 wrote to memory of 5048 | N/A | C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe | C:\Windows\apppatch\svchost.exe |
| PID 4780 wrote to memory of 5048 | N/A | C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe | C:\Windows\apppatch\svchost.exe |
| PID 4780 wrote to memory of 5048 | N/A | C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe
"C:\Users\Admin\AppData\Local\Temp\824504b560d9ca6134fb7814c68f1c5d533c31dd81b284d47927eef06d7fd55cN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| GB | 88.221.135.1:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 75.2.71.199:80 | puzylyp.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 69.162.80.60:80 | lysyfyj.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 75.2.71.199:443 | puzylyp.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 199.71.2.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww3.galyqaz.com | udp |
| DE | 64.190.63.136:80 | ww3.galyqaz.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | 60.80.162.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.63.190.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 205.71.79.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 107.178.223.183:80 | lygynud.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.26.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.223.178.107.in-addr.arpa | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
Files
memory/4780-0-0x00000000021C0000-0x00000000021C3000-memory.dmp
memory/4780-1-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | 446866617e0e19fb93ccf05a8b70b9ae |
| SHA1 | e8ae552c3328028cf04f7467d8a62a585d7fc419 |
| SHA256 | d696d8fe83cc94c329d2cdfe5fb1b309115eda50e083630697d57714022a49e2 |
| SHA512 | 5cd9e35dabeceb6332034960771b9225e2858eb51095d10365301f216610c286e1addde1438b026e515e00d1c53419903a0dcc8e05dadd94495e2499bdde3634 |
memory/4780-13-0x0000000000400000-0x000000000045F000-memory.dmp
memory/4780-12-0x00000000021C0000-0x00000000021C3000-memory.dmp
memory/5048-14-0x0000000000400000-0x0000000000467000-memory.dmp
memory/4780-11-0x0000000000400000-0x0000000000467000-memory.dmp
memory/5048-15-0x0000000000400000-0x0000000000467000-memory.dmp
memory/5048-16-0x0000000002A00000-0x0000000002AA8000-memory.dmp
memory/5048-17-0x0000000000400000-0x0000000000467000-memory.dmp
memory/5048-18-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-22-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-20-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-26-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-31-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-79-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-77-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-76-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-75-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-74-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-73-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-71-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-70-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-69-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-68-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-67-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-66-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-64-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-63-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-62-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-61-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-60-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-58-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-45-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-57-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-56-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-55-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-54-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-53-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-52-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-51-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-50-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-49-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-48-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-44-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-43-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-42-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-41-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-40-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-39-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-38-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-36-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-35-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-34-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-33-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-32-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-30-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-29-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-28-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-27-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-25-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-24-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-78-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-72-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-65-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-59-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-47-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-46-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-37-0x0000000002BB0000-0x0000000002C66000-memory.dmp
memory/5048-23-0x0000000002BB0000-0x0000000002C66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5EA6.tmp
| MD5 | 43090005c32a05fca9d4dcfb67cf5193 |
| SHA1 | 38adf723b49cf1c33d68d2302dc6024c51158981 |
| SHA256 | 6227d5e38e27630bcb76974a9b6c8eccebc0bcfac0095ad2e91fa1c3f301f9b4 |
| SHA512 | 7969708dfcb5bdf53437e01ee7e1f81dee97282570ff67d5d6f353ff4b0489a40730612ecfdccee2fe59cb9162ecec55457b6bc8f19d9c12a5950d6ab47601e3 |
C:\Users\Admin\AppData\Local\Temp\5E35.tmp
| MD5 | 294147dff5d4eb50080d3c8c1114983c |
| SHA1 | dc12f450b9a7d7c3f985bdf0098abdc20bcbd207 |
| SHA256 | 0d4814bfd5557777bcb7c3647115c9c6f7e36d194dcc29ac778498049000c96d |
| SHA512 | 5ef8a66273a50cb58f66747b716ff3f07f4f4044c42a7cb21d59d5d706c9c353b1845138687ecd92e5d51d3a70aea7180da132e230fa3ae8fc267446edccc244 |