Analysis Overview
SHA256
4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84b
Threat Level: Known bad
The file 4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Simda family
simda
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 20:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 20:37
Reported
2024-10-30 20:39
Platform
win7-20241010-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\83f73f55 = "ð\b„ëµÝ{ó|PLí\vJ“>Þ¤‡¸ðÝø\aÝ!3‚ž\x03Ò4S{òÃ;\x02JD\x03¸Úz„Bë¼s‹W¼\vÓ\b£“²/T£Œbº»3ÂJÃŒzúû`*0bb\x14ûcÃè\"üìbc\x1f\x03rLk‹Êc’ºŠ\x0f\x1c\f\f؛ۤšÛX\x13ø\\\bRÇ’4ç€h¼\x02ë¼x\x0f|jÓ×(3Ü\x14D\x1c[—Ä„£ÂLŒï\x1c0„“ÚJ\f\fCsÊâW¼xPì3\x12BhÌê£KÂGrÛó»ªz2\x1fÄh¤\x04»çÔøw/Ccú\x03l:Ê+ÿT\x18šHS\v*ܤ4\x03ò²\u00a0»—¨\u00a0³c´°“Ÿ24D0ïãtR4T„TG“/È\x04\\*Ô°âÿwâZtÜŒ¸ÚTd×ËC" | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\83f73f55 = "ð\b„ëµÝ{ó|PLí\vJ“>Þ¤‡¸ðÝø\aÝ!3‚ž\x03Ò4S{òÃ;\x02JD\x03¸Úz„Bë¼s‹W¼\vÓ\b£“²/T£Œbº»3ÂJÃŒzúû`*0bb\x14ûcÃè\"üìbc\x1f\x03rLk‹Êc’ºŠ\x0f\x1c\f\f؛ۤšÛX\x13ø\\\bRÇ’4ç€h¼\x02ë¼x\x0f|jÓ×(3Ü\x14D\x1c[—Ä„£ÂLŒï\x1c0„“ÚJ\f\fCsÊâW¼xPì3\x12BhÌê£KÂGrÛó»ªz2\x1fÄh¤\x04»çÔøw/Ccú\x03l:Ê+ÿT\x18šHS\v*ܤ4\x03ò²\u00a0»—¨\u00a0³c´°“Ÿ24D0ïãtR4T„TG“/È\x04\\*Ô°âÿwâZtÜŒ¸ÚTd×ËC" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1656 wrote to memory of 2488 | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | C:\Windows\apppatch\svchost.exe |
| PID 1656 wrote to memory of 2488 | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | C:\Windows\apppatch\svchost.exe |
| PID 1656 wrote to memory of 2488 | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | C:\Windows\apppatch\svchost.exe |
| PID 1656 wrote to memory of 2488 | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe
"C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 95.100.195.12:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 172.67.173.131:80 | qegyhig.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 99.83.170.3:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 172.67.173.131:443 | qegyhig.com | tcp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| NL | 85.17.31.122:80 | gatyfus.com | tcp |
| NL | 85.17.31.82:80 | gatyfus.com | tcp |
| NL | 5.79.71.205:80 | gatyfus.com | tcp |
| NL | 5.79.71.225:80 | gatyfus.com | tcp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| DE | 178.162.217.107:80 | gatyfus.com | tcp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | lymytux.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 172.67.136.136:80 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
| US | 104.155.138.21:80 | lygynud.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 172.67.136.136:443 | lysyvan.com | tcp |
| US | 13.248.169.48:80 | pupydeq.com | tcp |
Files
memory/1656-0-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/1656-1-0x0000000000220000-0x0000000000271000-memory.dmp
memory/1656-2-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\AppPatch\svchost.exe
| MD5 | dd2ee085b68fe32a572d8160f45bd02f |
| SHA1 | c67719fa9c686238238a3bfc80305995ec0e0cf2 |
| SHA256 | ca7f52100af441bc275f46e461e1b7bea93a7328d94e7ac65386436ae816fdf9 |
| SHA512 | 5f851c0cd1e9d1fdf30ca12e5b0e6fe4ee92982e635f4dc6f5837d3b035250c8328ce7bea1b68a13e676ec1d3355bffa33fbcc9203e4df27df62c72aeb9a7e82 |
memory/2488-19-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/2488-20-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/1656-18-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1656-17-0x0000000000220000-0x0000000000271000-memory.dmp
memory/1656-16-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/2488-21-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/2488-26-0x0000000002300000-0x00000000023A8000-memory.dmp
memory/2488-32-0x0000000002300000-0x00000000023A8000-memory.dmp
memory/2488-33-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/2488-30-0x0000000002300000-0x00000000023A8000-memory.dmp
memory/2488-28-0x0000000002300000-0x00000000023A8000-memory.dmp
memory/2488-24-0x0000000002300000-0x00000000023A8000-memory.dmp
memory/2488-22-0x0000000002300000-0x00000000023A8000-memory.dmp
memory/2488-34-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-38-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-36-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-40-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-48-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-71-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-84-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-83-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-82-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-81-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-80-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-79-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-78-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-77-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-76-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-75-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-74-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-73-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-72-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-70-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-69-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-68-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-67-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-65-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-64-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-63-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-62-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-61-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-60-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-59-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-58-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-57-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-56-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-55-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-54-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-53-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-51-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-50-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-49-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-47-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-66-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-46-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-45-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-44-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-43-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-42-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-52-0x00000000024F0000-0x00000000025A6000-memory.dmp
memory/2488-41-0x00000000024F0000-0x00000000025A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B400.tmp
| MD5 | 3247256740935eae5ff4593edfb5fe27 |
| SHA1 | 40f277dba61424c0663d4fd603013334f22f8e03 |
| SHA256 | df4632fc912c20a6722c0a915d4058def7ae00e193d682c7c2a030f4b21375d9 |
| SHA512 | 103d1a4b844278d9058aaa0777ffbce078381bc37fee731918a6f680f36a5784b437e9ed875caf24a2e18db4b2f7a44fa594ad5861d673fdcf7111078201c74d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-30 20:37
Reported
2024-10-30 20:39
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," | C:\Windows\apppatch\svchost.exe | N/A |
Simda family
simda
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\apppatch\svchost.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\46ee8274 = "\x1c\x1e›\x10\u0090²Ë¹á\\³ß6¯ó^óz·\u00a04¡0_Ó\x1aÀ" | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\46ee8274 = "\x1c\x1e›\x10\u0090²Ë¹á\\³ß6¯ó^óz·\u00a04¡0_Ó\x1aÀ" | C:\Windows\apppatch\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
| File opened for modification | C:\Windows\apppatch\svchost.exe | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\apppatch\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1264 wrote to memory of 1712 | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | C:\Windows\apppatch\svchost.exe |
| PID 1264 wrote to memory of 1712 | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | C:\Windows\apppatch\svchost.exe |
| PID 1264 wrote to memory of 1712 | N/A | C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe | C:\Windows\apppatch\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe
"C:\Users\Admin\AppData\Local\Temp\4edc3bb0bef41f8c37a51fdb1fb024da9483b3da6e6dd72fd18602282516e84bN.exe"
C:\Windows\apppatch\svchost.exe
"C:\Windows\apppatch\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 95.100.195.16:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | gacyzuz.com | udp |
| US | 8.8.8.8:53 | purydyv.com | udp |
| US | 8.8.8.8:53 | qegyqaq.com | udp |
| US | 8.8.8.8:53 | lyryfyd.com | udp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 8.8.8.8:53 | puvyxil.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | vowydef.com | udp |
| US | 8.8.8.8:53 | lygymoj.com | udp |
| US | 8.8.8.8:53 | pufymoq.com | udp |
| US | 8.8.8.8:53 | qexylup.com | udp |
| US | 8.8.8.8:53 | gaqydeb.com | udp |
| US | 8.8.8.8:53 | lyxylux.com | udp |
| US | 8.8.8.8:53 | vofymik.com | udp |
| US | 8.8.8.8:53 | qeqysag.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| US | 8.8.8.8:53 | lymysan.com | udp |
| US | 8.8.8.8:53 | volykyc.com | udp |
| US | 8.8.8.8:53 | qedynul.com | udp |
| US | 8.8.8.8:53 | pumypog.com | udp |
| US | 8.8.8.8:53 | galykes.com | udp |
| US | 8.8.8.8:53 | lysynur.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | qekykev.com | udp |
| US | 8.8.8.8:53 | pupybul.com | udp |
| US | 8.8.8.8:53 | ganypih.com | udp |
| US | 8.8.8.8:53 | lykyjad.com | udp |
| US | 8.8.8.8:53 | vopybyt.com | udp |
| US | 8.8.8.8:53 | qebytiq.com | udp |
| US | 8.8.8.8:53 | pujyjav.com | udp |
| US | 8.8.8.8:53 | gatyvyz.com | udp |
| US | 8.8.8.8:53 | lyvytuj.com | udp |
| US | 8.8.8.8:53 | vojyjof.com | udp |
| US | 8.8.8.8:53 | qetyvep.com | udp |
| US | 8.8.8.8:53 | puvytuq.com | udp |
| US | 8.8.8.8:53 | gahyhob.com | udp |
| US | 8.8.8.8:53 | lyryvex.com | udp |
| US | 8.8.8.8:53 | vocyruk.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 8.8.8.8:53 | purycap.com | udp |
| US | 8.8.8.8:53 | gacyryw.com | udp |
| US | 8.8.8.8:53 | lygygin.com | udp |
| US | 8.8.8.8:53 | vowycac.com | udp |
| US | 8.8.8.8:53 | qexyryl.com | udp |
| US | 8.8.8.8:53 | pufygug.com | udp |
| US | 8.8.8.8:53 | gaqycos.com | udp |
| US | 8.8.8.8:53 | lyxywer.com | udp |
| US | 8.8.8.8:53 | vofygum.com | udp |
| US | 8.8.8.8:53 | qeqyxov.com | udp |
| US | 8.8.8.8:53 | puzywel.com | udp |
| US | 8.8.8.8:53 | gadyfuh.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | volyqat.com | udp |
| US | 8.8.8.8:53 | qedyfyq.com | udp |
| US | 8.8.8.8:53 | pumyxiv.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | vonyzuf.com | udp |
| US | 8.8.8.8:53 | qekyqop.com | udp |
| US | 8.8.8.8:53 | vocyzit.com | udp |
| US | 8.8.8.8:53 | puzylyp.com | udp |
| US | 8.8.8.8:53 | vonypom.com | udp |
| US | 8.8.8.8:53 | vojyqem.com | udp |
| US | 44.221.84.105:80 | vocyzit.com | tcp |
| US | 8.8.8.8:53 | lyvyxor.com | udp |
| US | 8.8.8.8:53 | lysyfyj.com | udp |
| US | 8.8.8.8:53 | lymyxid.com | udp |
| US | 8.8.8.8:53 | galyqaz.com | udp |
| US | 8.8.8.8:53 | gatyfus.com | udp |
| US | 8.8.8.8:53 | qegyhig.com | udp |
| US | 75.2.71.199:80 | puzylyp.com | tcp |
| US | 8.8.8.8:53 | gahyqah.com | udp |
| US | 18.208.156.248:80 | vonypom.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 3.94.10.34:80 | lymyxid.com | tcp |
| US | 199.191.50.83:80 | galyqaz.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| US | 208.100.26.245:80 | lyvyxor.com | tcp |
| US | 104.21.30.183:80 | qegyhig.com | tcp |
| DE | 178.162.203.226:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 75.2.71.199:443 | puzylyp.com | tcp |
| US | 23.253.46.64:80 | gahyqah.com | tcp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 69.162.80.52:80 | lysyfyj.com | tcp |
| US | 8.8.8.8:53 | gadyniw.com | udp |
| HK | 154.212.231.82:80 | gadyniw.com | tcp |
| US | 8.8.8.8:53 | 16.195.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.71.2.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.156.208.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.222.234.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.10.94.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.46.253.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.50.191.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.80.162.69.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 172.234.222.138:80 | vojyqem.com | tcp |
| US | 8.8.8.8:53 | qetyfuv.com | udp |
| US | 44.221.84.105:80 | qetyfuv.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.231.212.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 104.21.30.183:443 | qegyhig.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 178.162.203.202:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| DE | 178.162.203.211:80 | gatyfus.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.203.162.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | ganyzub.com | udp |
| US | 8.8.8.8:53 | lykymox.com | udp |
| US | 8.8.8.8:53 | vopydek.com | udp |
| US | 8.8.8.8:53 | qebylug.com | udp |
| US | 8.8.8.8:53 | pujymip.com | udp |
| US | 8.8.8.8:53 | gatydaw.com | udp |
| US | 8.8.8.8:53 | lyvylyn.com | udp |
| US | 8.8.8.8:53 | vojymic.com | udp |
| US | 8.8.8.8:53 | qetysal.com | udp |
| US | 8.8.8.8:53 | puvylyg.com | udp |
| US | 8.8.8.8:53 | gahynus.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | vocykem.com | udp |
| US | 8.8.8.8:53 | qegynuv.com | udp |
| US | 8.8.8.8:53 | purypol.com | udp |
| US | 8.8.8.8:53 | gacykeh.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | vowypit.com | udp |
| US | 8.8.8.8:53 | qexykaq.com | udp |
| US | 8.8.8.8:53 | pufybyv.com | udp |
| US | 8.8.8.8:53 | gaqypiz.com | udp |
| US | 8.8.8.8:53 | lyxyjaj.com | udp |
| US | 8.8.8.8:53 | vofybyf.com | udp |
| US | 8.8.8.8:53 | qeqytup.com | udp |
| US | 8.8.8.8:53 | puzyjoq.com | udp |
| US | 8.8.8.8:53 | gadyveb.com | udp |
| US | 8.8.8.8:53 | volyjok.com | udp |
| US | 8.8.8.8:53 | qedyveg.com | udp |
| US | 8.8.8.8:53 | pumytup.com | udp |
| US | 8.8.8.8:53 | galyhiw.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 8.8.8.8:53 | vonyryc.com | udp |
| US | 8.8.8.8:53 | qekyhil.com | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 8.8.8.8:53 | ganyrys.com | udp |
| US | 8.8.8.8:53 | lykygur.com | udp |
| US | 8.8.8.8:53 | vopycom.com | udp |
| US | 8.8.8.8:53 | qebyrev.com | udp |
| US | 8.8.8.8:53 | pujygul.com | udp |
| US | 8.8.8.8:53 | gatycoh.com | udp |
| US | 8.8.8.8:53 | lyvywed.com | udp |
| US | 8.8.8.8:53 | vojygut.com | udp |
| US | 8.8.8.8:53 | qetyxiq.com | udp |
| US | 8.8.8.8:53 | puvywav.com | udp |
| US | 8.8.8.8:53 | gahyfyz.com | udp |
| US | 8.8.8.8:53 | lyryxij.com | udp |
| US | 8.8.8.8:53 | vocyqaf.com | udp |
| US | 8.8.8.8:53 | qegyfyp.com | udp |
| US | 8.8.8.8:53 | puryxuq.com | udp |
| US | 8.8.8.8:53 | gacyqob.com | udp |
| US | 8.8.8.8:53 | lygyfex.com | udp |
| US | 8.8.8.8:53 | vowyzuk.com | udp |
| US | 8.8.8.8:53 | qexyqog.com | udp |
| US | 8.8.8.8:53 | pufydep.com | udp |
| US | 8.8.8.8:53 | gaqyzuw.com | udp |
| US | 8.8.8.8:53 | lyxymin.com | udp |
| US | 8.8.8.8:53 | vofydac.com | udp |
| US | 8.8.8.8:53 | qeqylyl.com | udp |
| US | 8.8.8.8:53 | puzymig.com | udp |
| US | 8.8.8.8:53 | gadydas.com | udp |
| US | 8.8.8.8:53 | lymylyr.com | udp |
| US | 8.8.8.8:53 | volymum.com | udp |
| US | 8.8.8.8:53 | pupydeq.com | udp |
| US | 8.8.8.8:53 | lygynud.com | udp |
| US | 8.8.8.8:53 | lyrysor.com | udp |
| US | 8.8.8.8:53 | lysyvan.com | udp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| US | 104.155.138.21:80 | lygynud.com | tcp |
| US | 104.21.26.151:80 | lysyvan.com | tcp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 8.8.8.8:53 | 151.26.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pupycag.com | udp |
| US | 104.21.26.151:443 | lysyvan.com | tcp |
| US | 18.208.156.248:80 | pupycag.com | tcp |
| US | 76.223.54.146:80 | pupydeq.com | tcp |
| CN | 111.6.96.18:80 | lyrysor.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qedysov.com | udp |
| US | 8.8.8.8:53 | pumylel.com | udp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 8.8.8.8:53 | lysysod.com | udp |
| US | 8.8.8.8:53 | vonyket.com | udp |
| US | 8.8.8.8:53 | qekynuq.com | udp |
| US | 8.8.8.8:53 | pupypiv.com | udp |
| US | 8.8.8.8:53 | ganykaz.com | udp |
| US | 8.8.8.8:53 | lykynyj.com | udp |
| US | 8.8.8.8:53 | vopypif.com | udp |
| US | 8.8.8.8:53 | qebykap.com | udp |
| US | 8.8.8.8:53 | pujybyq.com | udp |
| US | 8.8.8.8:53 | gatypub.com | udp |
| US | 8.8.8.8:53 | lyvyjox.com | udp |
| US | 8.8.8.8:53 | vojybek.com | udp |
| US | 8.8.8.8:53 | qetytug.com | udp |
| US | 8.8.8.8:53 | puvyjop.com | udp |
| US | 8.8.8.8:53 | gahyvew.com | udp |
| US | 8.8.8.8:53 | lyrytun.com | udp |
| US | 8.8.8.8:53 | vocyjic.com | udp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 8.8.8.8:53 | purytyg.com | udp |
| US | 8.8.8.8:53 | gacyhis.com | udp |
| US | 8.8.8.8:53 | lygyvar.com | udp |
| US | 8.8.8.8:53 | vowyrym.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | pufycol.com | udp |
| US | 8.8.8.8:53 | gaqyreh.com | udp |
| US | 8.8.8.8:53 | lyxygud.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | qeqyreq.com | udp |
| US | 8.8.8.8:53 | puzyguv.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 8.8.8.8:53 | lymywaj.com | udp |
| US | 8.8.8.8:53 | volygyf.com | udp |
| US | 8.8.8.8:53 | qedyxip.com | udp |
| US | 8.8.8.8:53 | pumywaq.com | udp |
| US | 8.8.8.8:53 | galyfyb.com | udp |
| US | 8.8.8.8:53 | lysyxux.com | udp |
| US | 8.8.8.8:53 | vonyqok.com | udp |
| US | 8.8.8.8:53 | qekyfeg.com | udp |
| US | 8.8.8.8:53 | pupyxup.com | udp |
| US | 8.8.8.8:53 | ganyqow.com | udp |
| US | 8.8.8.8:53 | lykyfen.com | udp |
| US | 8.8.8.8:53 | vopyzuc.com | udp |
| US | 8.8.8.8:53 | qebyqil.com | udp |
| US | 8.8.8.8:53 | gatyzys.com | udp |
| US | 8.8.8.8:53 | pujydag.com | udp |
| US | 8.8.8.8:53 | lyvymir.com | udp |
| US | 8.8.8.8:53 | qetylyv.com | udp |
| US | 8.8.8.8:53 | vojydam.com | udp |
| US | 8.8.8.8:53 | puvymul.com | udp |
| US | 8.8.8.8:53 | lyryled.com | udp |
| US | 8.8.8.8:53 | gahydoh.com | udp |
| US | 8.8.8.8:53 | vocymut.com | udp |
| US | 8.8.8.8:53 | qegysoq.com | udp |
| US | 8.8.8.8:53 | purylev.com | udp |
| US | 8.8.8.8:53 | gacynuz.com | udp |
| US | 8.8.8.8:53 | lygysij.com | udp |
| US | 8.8.8.8:53 | vowykaf.com | udp |
| US | 8.8.8.8:53 | qexynyp.com | udp |
| US | 8.8.8.8:53 | pufypiq.com | udp |
| US | 8.8.8.8:53 | gaqykab.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | qexyhuv.com | udp |
| US | 8.8.8.8:53 | vofycot.com | udp |
| US | 8.8.8.8:53 | lyxynyx.com | udp |
| US | 8.8.8.8:53 | gadyciz.com | udp |
| US | 103.224.182.252:80 | vofycot.com | tcp |
| US | 44.221.84.105:80 | gadyciz.com | tcp |
| US | 8.8.8.8:53 | qegyval.com | udp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
| US | 103.224.212.210:80 | lyxynyx.com | tcp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
| US | 8.8.8.8:53 | ww16.vofycot.com | udp |
| US | 8.8.8.8:53 | ww25.lyxynyx.com | udp |
| US | 199.59.243.227:80 | ww25.lyxynyx.com | tcp |
| US | 8.8.8.8:53 | galynuh.com | udp |
| US | 64.225.91.73:80 | galynuh.com | tcp |
| US | 8.8.8.8:53 | 20.240.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.182.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.212.224.103.in-addr.arpa | udp |
| DE | 64.190.63.136:80 | ww16.vofycot.com | tcp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.63.190.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 15.197.240.20:80 | qexyhuv.com | tcp |
| HK | 154.85.183.50:80 | qegyval.com | tcp |
Files
memory/1264-0-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/1264-1-0x00000000026B0000-0x0000000002701000-memory.dmp
memory/1264-2-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Windows\apppatch\svchost.exe
| MD5 | 68db467c2e8d6c1db11821f89d607a4f |
| SHA1 | 98de809c6f05a8f273fc2504cea2997bdb9ccdd7 |
| SHA256 | c56a24a3f3b6c911364566beb957ffbaaf0c8880bfe7b5b719279f9d28267071 |
| SHA512 | d926247a1c74511f68ac463c001d8909e37e5b612d6d4277d5182f5e078f756672799549e7d3ddab1baaf5531b9a6eb2bb17405ae3c579f2c9286ec7c1800634 |
memory/1264-14-0x00000000026B0000-0x0000000002701000-memory.dmp
memory/1264-15-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1712-16-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/1264-12-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/1712-13-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/1712-17-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/1712-18-0x0000000002C00000-0x0000000002CA8000-memory.dmp
memory/1712-19-0x0000000000400000-0x00000000006D0000-memory.dmp
memory/1712-20-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-24-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-22-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-41-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-46-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-79-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-78-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-77-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-76-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-75-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-74-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-73-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-71-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-70-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-69-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-68-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-67-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-66-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-65-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-64-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-63-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-62-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-61-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-60-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-59-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-58-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-57-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-56-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-55-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-54-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-53-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-52-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-51-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-50-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-49-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-48-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-47-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-44-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-43-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-42-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-40-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-39-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-37-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-34-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-33-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-32-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-31-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-30-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-29-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-28-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-27-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-26-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-72-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-45-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-36-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-38-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-35-0x0000000002DF0000-0x0000000002EA6000-memory.dmp
memory/1712-25-0x0000000002DF0000-0x0000000002EA6000-memory.dmp