Analysis Overview
SHA256
4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84b
Threat Level: Known bad
The file 4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Simda family
simda
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 20:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 20:33
Reported
2024-10-30 20:35
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\75f35c59 = "\x15\x1aJÉ\u0090p\"yöïg\x0eTV#·%WH`gX0T" | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\75f35c59 = "\x15\x1aJÉ\u0090p\"yöïg\x0eTV#·%WH`gX0T" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2508 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | C:\Windows\apppatch\svchost.exe |
| PID 2508 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | C:\Windows\apppatch\svchost.exe |
| PID 2508 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | C:\Windows\apppatch\svchost.exe |
| PID 2508 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe
"C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 95.100.195.53:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| US | 8.8.8.8:53 | ww8.galyqaz.com | udp |
| US | 173.255.194.134:80 | ww8.galyqaz.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.80:80 | crl.microsoft.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
Files
memory/2508-1-0x00000000003A0000-0x00000000003F1000-memory.dmp
memory/2508-0-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/2508-2-0x0000000000400000-0x000000000045F000-memory.dmp
\Windows\AppPatch\svchost.exe
| MD5 | 75324504c215a8a03768a91cb6afe0c7 |
| SHA1 | 9bb7fbb913760d0c07d519ce9b249e60c0edc257 |
| SHA256 | da020fbdd462e81c22c379d52cfff6d65fa7a83cbcf9fc234ac9a2dde3456c3d |
| SHA512 | d8d4f97c2a4d700537b251c8dc09673720b077dd2811ab151884107024baa799cea6b4b03672f6b9eedc78baa04ae719f257da73e725a8f5a3321a2631ebdb87 |
memory/2508-16-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/2384-19-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/2384-20-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/2508-18-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2508-17-0x00000000003A0000-0x00000000003F1000-memory.dmp
memory/2384-21-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/2384-22-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/2384-32-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/2384-30-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/2384-33-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/2384-28-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/2384-26-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/2384-24-0x00000000022E0000-0x0000000002388000-memory.dmp
memory/2384-34-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-36-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-38-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-40-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-45-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-75-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-84-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-82-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-81-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-80-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-79-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-78-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-77-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-76-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-74-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-73-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-72-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-71-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-70-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-69-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-67-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-66-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-65-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-64-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-63-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-62-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-61-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-60-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-59-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-58-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-57-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-56-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-55-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-54-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-53-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-52-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-50-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-49-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-47-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-83-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-46-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-44-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-43-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-68-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-42-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-41-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-51-0x0000000002610000-0x00000000026C6000-memory.dmp
memory/2384-48-0x0000000002610000-0x00000000026C6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-30 20:33
Reported
2024-10-30 20:35
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
119s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\2d359cb7 = "\x1d|Bε\x17\"Å“û8|^Œ\x01ßzµÁÊ\x15D¹(J\u008fBz\f–£$ÆÈùÖ–%\x15ýžõŽp9„:2’,U™\x0e†m†•`P^õ\u008dr‰\x02,†¶úÕ¶\x14\r°²\u00ad¦®¥\x189PD,\nà\r\x15\x0erv\x1eæ\x0eZ5u\x05‰°fòµzµ¦Ê}½\x1e\u00adýŽR©\x0ĕQ\x16‰®Ýn\nÙ\u0090Eðžm´dp\u008d\t\x0ee–~ÖFÅ\x19ížúœe”ú\x18LR-„–\u0081ÁJ…†&\x06–\x15á>m¬`É\x1a`\x18" | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\2d359cb7 = "\x1d|Bε\x17\"Å“û8|^Œ\x01ßzµÁÊ\x15D¹(J\u008fBz\f–£$ÆÈùÖ–%\x15ýžõŽp9„:2’,U™\x0e†m†•`P^õ\u008dr‰\x02,†¶úÕ¶\x14\r°²\u00ad¦®¥\x189PD,\nà\r\x15\x0erv\x1eæ\x0eZ5u\x05‰°fòµzµ¦Ê}½\x1e\u00adýŽR©\x0ĕQ\x16‰®Ýn\nÙ\u0090Eðžm´dp\u008d\t\x0ee–~ÖFÅ\x19ížúœe”ú\x18LR-„–\u0081ÁJ…†&\x06–\x15á>m¬`É\x1a`\x18" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1156 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | C:\Windows\apppatch\svchost.exe |
| PID 1156 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | C:\Windows\apppatch\svchost.exe |
| PID 1156 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe
"C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 95.100.195.6:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | 6.195.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 8.8.8.8:53 | 138.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.170.83.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.80.162.69.in-addr.arpa | udp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/1156-0-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/1156-1-0x0000000002790000-0x00000000027E1000-memory.dmp
memory/1156-2-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | 424fe4517de0fdbb21769842c7f04ad5 |
| SHA1 | ca6826ced879bbd670faf5dea876e13e5ffd774b |
| SHA256 | 7d342041bd7e059bb7b1d88d5f632bc4b57dbe9cf48933bab99ce6ef6ad21468 |
| SHA512 | 53b4ff5c08eba228b783cc5a7ac3ab86d758de2435f14e4454859ba242651c9716d61c1c92d6e6e8fd2e8a6f64c2dc6650f3e0ca318ae2d6a6fcdedf7197878e |
memory/1156-15-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1608-16-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/1156-14-0x0000000002790000-0x00000000027E1000-memory.dmp
memory/1608-13-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/1156-12-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/1608-17-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/1608-18-0x0000000002C00000-0x0000000002CA8000-memory.dmp
memory/1608-19-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/1608-20-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-24-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-22-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-46-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-57-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-79-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-78-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-77-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-76-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-75-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-74-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-73-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-72-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-71-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-70-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-68-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-67-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-66-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-65-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-64-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-63-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-62-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-61-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-60-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-59-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-56-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-55-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-54-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-53-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-52-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-51-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-50-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-49-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-48-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-47-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-45-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-44-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-43-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-42-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-41-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-40-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-39-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-38-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-37-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-36-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-35-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-34-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-33-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-32-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-30-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-29-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-28-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-27-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-69-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-25-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-58-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-31-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1608-26-0x0000000002DF0000-0x0000000002EA6000-memory.dmp